treewide: remove paxutils from stdenv

More then one year ago we removed grsecurity kernels from nixpkgs:
#25277

This removes now also paxutils from stdenv.

doc/stdenv.xml

@@ -2433,30 +2433,6 @@ addEnvHooks "$hostOffset" myBashFunction
       </para>
      </listitem>
     </varlistentry>
-    <varlistentry>
-     <term>
-      paxctl
-     </term>
-     <listitem>
-      <para>
-       Defines the <varname>paxmark</varname> helper for setting per-executable
-       PaX flags on Linux (where it is available by default; on all other
-       platforms, <varname>paxmark</varname> is a no-op). For example, to
-       disable secure memory protections on the executable
-       <replaceable>foo</replaceable>
-<programlisting>
-      postFixup = ''
-        paxmark m $out/bin/<replaceable>foo</replaceable>
-      '';
-    </programlisting>
-       The <literal>m</literal> flag is the most common flag and is typically
-       required for applications that employ JIT compilation or otherwise need
-       to execute code generated at run-time. Disabling PaX protections should
-       be considered a last resort: if possible, problematic features should be
-       disabled or patched to work with PaX.
-      </para>
-     </listitem>
-    </varlistentry>
     <varlistentry>
      <term>
       autoPatchelfHook

pkgs/applications/altcoins/parity-ui/default.nix

@@ -34,8 +34,6 @@ in stdenv.mkDerivation rec {
 
     find $out/share/parity-ui -name "*.node" -exec patchelf --set-rpath "${uiEnv.libPath}:$out/share/parity-ui" {} \;
 
-    paxmark m $out/share/parity-ui/parity-ui
-
     mkdir -p $out/bin
     ln -s $out/share/parity-ui/parity-ui $out/bin/parity-ui
   '';

pkgs/applications/editors/atom/default.nix

@@ -70,9 +70,6 @@ let
       ln -s ${pkgs.git}/bin/git $dugite/git/libexec/git-core/git
 
       find $share -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$share" {} \;
-
-      paxmark m $share/atom
-      paxmark m $share/resources/app/apm/bin/node
     '';
 
     meta = with stdenv.lib; {

pkgs/applications/networking/browsers/chromium/common.nix

@@ -282,8 +282,6 @@ let
           MENUNAME="Chromium"
           process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
         )
-      '' + optionalString (target == "mksnapshot" || target == "chrome") ''
-        paxmark m "${buildPath}/${target}"
       '';
       targets = extraAttrs.buildTargets or [];
       commands = map buildCommand targets;

pkgs/applications/networking/browsers/firefox/common.nix

@@ -263,20 +263,12 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
   doCheck = false; # "--disable-tests" above
 
-  preInstall = ''
-    # The following is needed for startup cache creation on grsecurity kernels.
-    paxmark m dist/bin/xpcshell
-  '';
-
   installPhase = if stdenv.isDarwin then ''
     mkdir -p $out/Applications
     cp -LR dist/Firefox.app $out/Applications
   '' else null;
 
   postInstall = lib.optionalString stdenv.isLinux ''
-    # For grsecurity kernels
-    paxmark m $out/lib/firefox*/{firefox,firefox-bin,plugin-container}
-
     # Remove SDK cruft. FIXME: move to a separate output?
     rm -rf $out/share/idl $out/include $out/lib/firefox-devel-*
 

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -32,8 +32,6 @@ stdenv.mkDerivation rec {
         patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
                  $out/opt/discord/Discord
 
-        paxmark m $out/opt/discord/Discord
-
         wrapProgram $out/opt/discord/Discord --prefix LD_LIBRARY_PATH : ${libPath}
 
         ln -s $out/opt/discord/Discord $out/bin/

pkgs/applications/networking/instant-messengers/franz/default.nix

@@ -54,7 +54,6 @@ in stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    paxmark m $out/opt/franz/Franz
     wrapProgram $out/opt/franz/Franz --prefix PATH : ${xdg_utils}/bin
   '';
 

pkgs/applications/networking/instant-messengers/wavebox/default.nix

@@ -52,7 +52,6 @@ in stdenv.mkDerivation rec {
   '';
 
   postFixup = ''
-    paxmark m $out/opt/wavebox/Wavebox
     makeWrapper $out/opt/wavebox/Wavebox $out/bin/wavebox \
       --prefix PATH : ${xdg_utils}/bin
   '';

pkgs/applications/networking/mailreaders/thunderbird/default.nix

@@ -100,26 +100,17 @@ in stdenv.mkDerivation rec {
     ''
       cxxLib=$( echo -n ${gcc}/include/c++/* )
       archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
-  
+
       test -f layout/style/ServoBindings.toml && sed -i -e '/"-DRUST_BINDGEN"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
 
       configureScript="$(realpath ./configure)"
       mkdir ../objdir
       cd ../objdir
     '';
 
-  preInstall =
-    ''
-      # The following is needed for startup cache creation on grsecurity kernels.
-      paxmark m ../objdir/dist/bin/xpcshell
-    '';
-
   dontWrapGApps = true; # we do it ourselves
   postInstall =
     ''
-      # For grsecurity kernels
-      paxmark m $out/lib/thunderbird/thunderbird
-
       # TODO: Move to a dev output?
       rm -rf $out/include $out/lib/thunderbird-devel-* $out/share/idl
 

pkgs/applications/office/mendeley/default.nix

@@ -112,7 +112,6 @@ stdenv.mkDerivation {
     patchelf --set-interpreter $interpreter \
              --set-rpath ${stdenv.lib.makeLibraryPath deps}:$out/lib \
              $out/bin/mendeleydesktop
-    paxmark m $out/bin/mendeleydesktop
 
     wrapProgram $out/bin/mendeleydesktop \
       --add-flags "--unix-distro-build" \

pkgs/applications/virtualization/qemu/default.nix

@@ -125,9 +125,6 @@ stdenv.mkDerivation rec {
 
   postFixup =
     ''
-      for exe in $out/bin/qemu-system-* ; do
-        paxmark m $exe
-      done
       # copy qemu-ga (guest agent) to separate output
       mkdir -p $ga/bin
       cp $out/bin/qemu-ga $ga/bin/

pkgs/development/compilers/adoptopenjdk-bin/jdk-linux-base.nix

@@ -61,14 +61,6 @@ let result = stdenv.mkDerivation rec {
   installPhase = ''
     cd ..
 
-    # Set PaX markings
-    exes=$(file $sourceRoot/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-    for file in $exes; do
-      paxmark m "$file"
-      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
-      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
-    done
-
     mv $sourceRoot $out
 
     rm -rf $out/demo

pkgs/development/compilers/gcc/builder.sh

@@ -282,11 +282,6 @@ postInstall() {
         fi
     done
 
-    # Disable RANDMMAP on grsec, which causes segfaults when using
-    # precompiled headers.
-    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
-    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
-
     # Two identical man pages are shipped (moving and compressing is done later)
     ln -sf gcc.1 "$out"/share/man/man1/g++.1
 }

pkgs/development/compilers/ghc/8.2.2-binary.nix

@@ -105,8 +105,6 @@ stdenv.mkDerivation rec {
           --replace-needed libtinfo.so libtinfo.so.5 \
           --interpreter ${glibcDynLinker} {} \;
 
-      paxmark m ./ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
-
       sed -i "s|/usr/bin/perl|perl\x00        |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
       sed -i "s|/usr/bin/gcc|gcc\x00        |" ghc-${version}/ghc/stage2/build/tmp/ghc-stage2
     '';

pkgs/development/compilers/ghc/8.2.2.nix

@@ -238,11 +238,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.4.4.nix

@@ -214,11 +214,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.1.nix

@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.2.nix

@@ -195,11 +195,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/8.6.3.nix

@@ -192,11 +192,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/ghc/head.nix

@@ -177,11 +177,6 @@ stdenv.mkDerivation (rec {
   hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.targetPlatform.isMusl "pie";
 
   postInstall = ''
-    for bin in "$out"/lib/${name}/bin/*; do
-      isELF "$bin" || continue
-      paxmark m "$bin"
-    done
-
     # Install the bash completion file.
     install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc
 

pkgs/development/compilers/jetbrains-jdk/default.nix

@@ -25,11 +25,6 @@ let drv = stdenv.mkDerivation rec {
   installPhase = ''
     cd ..
 
-    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
-    for file in $exes; do
-      paxmark m "$file"
-    done
-
     mv $sourceRoot $out
     jrePath=$out/jre
   '';

pkgs/development/compilers/julia/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, fetchzip
 # build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
 # libjulia dependencies
 , libunwind, readline, utf8proc, zlib
 , llvm
@@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
   patches = [
     ./0001.1-use-system-utf8proc.patch
     ./0002-use-system-suitesparse.patch
-  ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+  ];
 
   postPatch = ''
     patchShebangs . contrib
@@ -96,8 +96,7 @@ stdenv.mkDerivation rec {
   ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
   ;
 
-  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
-    ++ stdenv.lib.optional stdenv.needsPax paxctl;
+  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
 
   makeFlags =
     let

pkgs/development/compilers/julia/shared.nix

@@ -5,7 +5,7 @@
 }:
 { stdenv, fetchurl, fetchzip
 # build tools
-, gfortran, m4, makeWrapper, patchelf, perl, which, python2, paxctl
+, gfortran, m4, makeWrapper, patchelf, perl, which, python2
 , llvm, cmake
 # libjulia dependencies
 , libunwind, readline, utf8proc, zlib
@@ -95,7 +95,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./0001.1-use-system-utf8proc.patch
-  ] ++ stdenv.lib.optional stdenv.needsPax ./0004-hardened.patch;
+  ];
 
   postPatch = ''
     patchShebangs . contrib
@@ -117,8 +117,7 @@ stdenv.mkDerivation rec {
   ++ stdenv.lib.optionals stdenv.isDarwin [CoreServices ApplicationServices]
   ;
 
-  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ]
-    ++ stdenv.lib.optional stdenv.needsPax paxctl;
+  nativeBuildInputs = [ curl gfortran m4 makeWrapper patchelf perl python2 which ];
 
   makeFlags =
     let

pkgs/development/compilers/llvm/3.5/llvm.nix

@@ -81,12 +81,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
-
-    paxmark m unittests/ExecutionEngine/JIT/JITTests
-    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
-    paxmark m unittests/Support/SupportTests
   '';
 
   enableParallelBuilding = true;

pkgs/development/compilers/llvm/3.7/llvm.nix

@@ -89,8 +89,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   enableParallelBuilding = true;

pkgs/development/compilers/llvm/3.8/llvm.nix

@@ -97,8 +97,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''

pkgs/development/compilers/llvm/3.9/llvm.nix

@@ -141,8 +141,6 @@ in stdenv.mkDerivation rec {
 
   postBuild = ''
     rm -fR $out
-
-    paxmark m bin/{lli,llvm-rtdyld}
   '';
 
   postInstall = ""