Merge #2798: stdenv and a few other big updates

Stdenv-changing things:
    - gcc 4.8.2 -> 4.8.3
    - long-running grsecurity branch
Others:
    - pkgconfig update
    - CVE for libtasn1, dbus

Conflicts (simple):
    pkgs/development/compilers/ghc/7.6.3.nix

pkgs/applications/networking/browsers/chromium/browser.nix

@@ -1,11 +1,11 @@
-{ stdenv, mkChromiumDerivation }:
+{ stdenv, mkChromiumDerivation, arch }:
 
 with stdenv.lib;
 
 mkChromiumDerivation (base: rec {
   name = "chromium-browser";
   packageName = "chromium";
-  buildTargets = [ "chrome" ];
+  buildTargets = [ "mksnapshot.${arch}" "chrome" ];
 
   installPhase = ''
     ensureDir "$libExecPath"

pkgs/applications/networking/browsers/chromium/common.nix

@@ -30,6 +30,7 @@
 
 , source
 , plugins
+, archInfo
 }:
 
 buildFun:
@@ -172,13 +173,7 @@ let
       # enable support for the H.264 codec
       proprietary_codecs = true;
       ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
-      target_arch = "x64";
-      python_arch = "x86-64";
-    } // optionalAttrs (stdenv.system == "i686-linux") {
-      target_arch = "ia32";
-      python_arch = "ia32";
-    } // (extraAttrs.gypFlags or {}));
+    } // archInfo // (extraAttrs.gypFlags or {}));
 
     configurePhase = ''
       # This is to ensure expansion of $out.
@@ -190,14 +185,21 @@ let
     buildPhase = let
       CC = "${gcc}/bin/gcc";
       CXX = "${gcc}/bin/g++";
-    in ''
-      CC="${CC}" CC_host="${CC}"     \
-      CXX="${CXX}" CXX_host="${CXX}" \
-      LINK_host="${CXX}"             \
-        "${ninja}/bin/ninja" -C "${buildPath}"  \
-          -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-          ${concatStringsSep " " (extraAttrs.buildTargets or [])}
-    '';
+      buildCommand = target: ''
+        CC="${CC}" CC_host="${CC}"     \
+        CXX="${CXX}" CXX_host="${CXX}" \
+        LINK_host="${CXX}"             \
+          "${ninja}/bin/ninja" -C "${buildPath}"  \
+            -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
+            ${target}
+
+        if [[ "${target}" == mksnapshot.* || "${target}" == "chrome" ]]; then
+          paxmark m "${buildPath}/${target}"
+        fi
+      '';
+      targets = extraAttrs.buildTargets or [];
+      commands = map buildCommand targets;
+    in concatStringsSep "\n" commands;
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.

pkgs/applications/networking/browsers/chromium/default.nix

@@ -15,6 +15,14 @@
 }:
 
 let
+  archInfo = with stdenv.lib; optionalAttrs (stdenv.system == "i686-linux") {
+    target_arch = "ia32";
+    python_arch = "ia32";
+  } // optionalAttrs (stdenv.system == "x86_64-linux") {
+    target_arch = "x64";
+    python_arch = "x86-64";
+  };
+
   callPackage = newScope chromium;
 
   chromium = {
@@ -27,10 +35,13 @@ let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
               gnomeKeyringSupport proprietaryCodecs cupsSupport
-              pulseSupport;
+              pulseSupport archInfo;
+    };
+
+    browser = callPackage ./browser.nix {
+      arch = archInfo.target_arch;
     };
 
-    browser = callPackage ./browser.nix { };
     sandbox = callPackage ./sandbox.nix { };
 
     plugins = callPackage ./plugins.nix {

pkgs/applications/networking/browsers/firefox/default.nix

@@ -91,6 +91,11 @@ rec {
 
     #installFlags = "SKIP_GRE_REGISTRATION=1";
 
+    preInstall = ''
+      # The following is needed for startup cache creation on grsecurity kernels
+      paxmark m ../objdir/dist/bin/xpcshell
+    '';
+
     postInstall = ''
       # Fix run-mozilla.sh search
       libDir=$(cd $out/lib && ls -d xulrunner-[0-9]*)
@@ -109,6 +114,10 @@ rec {
       for i in $out/lib/$libDir/*.so; do
           patchelf --set-rpath "$(patchelf --print-rpath "$i"):$out/lib/$libDir" $i || true
       done
+
+      # For grsecurity kernels
+      paxmark m $out/lib/$libDir/{plugin-container,xulrunner}
+
       for i in $out/lib/$libDir/{plugin-container,xulrunner,xulrunner-stub}; do
           wrapProgram $i --prefix LD_LIBRARY_PATH ':' "$out/lib/$libDir"
       done

pkgs/development/compilers/gcc/4.6/builder.sh

@@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then
 
         # The path to the Glibc binaries such as `crti.o'.
         glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib"
-        
+
     else
         # Hack: support impure environments.
         extraFlags="-isystem /usr/include"
@@ -214,7 +214,7 @@ postInstall() {
     # previous gcc.
     rm -rf $out/libexec/gcc/*/*/install-tools
     rm -rf $out/lib/gcc/*/*/install-tools
-    
+
     # More dependencies with the previous gcc or some libs (gccbug stores the build command line)
     rm -rf $out/bin/gccbug
     # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out
@@ -240,6 +240,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.6/default.nix

@@ -99,7 +99,7 @@ let version = "4.6.3";
         withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else "";
         withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else "";
         withFloat = if gccFloat != null then " --with-float=${gccFloat}" else "";
-      in 
+      in
         (withArch +
         withCpu +
         withAbi +

pkgs/development/compilers/gcc/4.8/builder.sh

@@ -239,6 +239,11 @@ postInstall() {
         fi
     done
 
+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
     eval "$postInstallGhdl"
 }
 

pkgs/development/compilers/gcc/4.8/default.nix

@@ -54,7 +54,7 @@ assert langGo -> langCC;
 with stdenv.lib;
 with builtins;
 
-let version = "4.8.2";
+let version = "4.8.3";
 
     # Whether building a cross-compiler for GNU/Hurd.
     crossGNU = cross != null && cross.config == "i586-pc-gnu";
@@ -64,7 +64,7 @@ let version = "4.8.2";
   */
     enableParallelBuilding = !profiledCompiler;
 
-    patches = [ ./bug-58800.patch ] # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58800
+    patches = []
       ++ optional enableParallelBuilding ./parallel-bconfig.patch
       ++ optional (cross != null) ./libstdc++-target.patch
       # ++ optional noSysDirs ./no-sys-dirs.patch
@@ -212,7 +212,7 @@ stdenv.mkDerivation ({
 
   src = fetchurl {
     url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2";
-    sha256 = "1j6dwgby4g3p3lz7zkss32ghr45zpdidrg8xvazvn91lqxv25p09";
+    sha256 = "07hg10zs7gnqz58my10ch0zygizqh0z0bz6pv4pgxx45n48lz3ka";
   };
 
   inherit patches;

pkgs/development/compilers/ghc/6.10.4.nix

@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   meta = {
     inherit homepage;
     description = "The Glasgow Haskell Compiler";

pkgs/development/compilers/ghc/6.12.3.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.0.4.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.2.2.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     "--with-gcc=${stdenv.gcc}/bin/gcc"
   ];
 
+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/ghc/7.6.3.nix

@@ -1,6 +1,13 @@
-{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
+{ stdenv, fetchurl, ghc, perl, gmp, ncurses, binutils }:
 
-stdenv.mkDerivation rec {
+let
+  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
+  # to the gold linker). It prevents binaries' stacks from being marked as
+  # executable, which fails to run on a grsecurity/PaX kernel.
+  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
+  cFlags = "-Wa,--noexecstack";
+
+in stdenv.mkDerivation rec {
   version = "7.6.3";
 
   name = "ghc-${version}";
@@ -12,21 +19,40 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ghc perl gmp ncurses ];
 
-
   buildMK = ''
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
     libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for building ghc itself
+    SRC_HC_OPTS += ${ghcFlags}
+    SRC_CC_OPTS += ${cFlags}
   '';
 
   preConfigure = ''
     echo "${buildMK}" > mk/build.mk
     sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for binaries that ghc builds
+    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
+
   '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
   '';
 
   configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
 
+  postInstall = ''
+    # ghci uses mmap with rwx protection at it implements dynamic
+    # linking on its own. See:
+    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
+    # - https://ghc.haskell.org/trac/ghc/ticket/4244
+    # Therefore, we have to pax-mark the resulting binary.
+    # Haddock also seems to run with ghci, so mark it as well.
+    paxmark m $out/lib/${name}/{ghc,haddock}
+  '';
+
   # required, because otherwise all symbols from HSffi.o are stripped, and
   # that in turn causes GHCi to abort
   stripDebugFlags=["-S" "--keep-file-symbols"];

pkgs/development/compilers/icedtea/default.nix

@@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
     "--disable-downloading"
 
     "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
     "--with-jdk-home=${jdkPath}"
   ];