net-libs/nodejs: restore PaX support

Reverts: 19add7ba6500e6c60c8699b6bdda397744dfa73b
Bug: https://bugs.gentoo.org/735832
Package-Manager: Portage-3.0.9, Repoman-3.0.2
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: William Hubbs <williamh@gentoo.org>

7 files changed, 208 insertions, 7 deletions

diff --git a/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch b/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch
new file mode 100644
index 000000000000..1061255e1637
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch
@@ -0,0 +1,71 @@
+    Bug: 694100
+    Add actions for pax marking mkcodecache and node_mksnapshot
+    to disable mprotect for pax enable kernel.
+    Reported-by: Attila Tóth <atoth@atoth.sote.hu>
+    Co-developed-by: Attila Tóth <atoth@atoth.sote.hu>
+    Signed-off-by: Magnus Granberg <zorry@gentoo.org>
+
+--- a/node.gyp	2019-10-23 11:52:41.000000000 +0200
++++ a/node.gyp	2019-11-12 20:58:43.957881862 +0100
+@@ -233,7 +233,9 @@
+       'deps/acorn-plugins/acorn-static-class-features/index.js',
+     ],
+     'node_mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot<(EXECUTABLE_SUFFIX)',
++    'node_mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot_u<(EXECUTABLE_SUFFIX)',
+     'mkcodecache_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache<(EXECUTABLE_SUFFIX)',
++    'mkcodecache_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache_u<(EXECUTABLE_SUFFIX)',
+     'conditions': [
+       [ 'node_shared=="true"', {
+         'node_target_type%': 'shared_library',
+@@ -436,10 +438,24 @@
+           ],
+           'actions': [
+             {
++              'action_name': 'run_pax_mkcodecache',
++              'inputs': [
++                '<(mkcodecache_exec)',
++              ],
++              'outputs': [
++                '<(mkcodecache_u_exec)',
++              ],
++              'action': [
++                'bash',
++                '-c',
++                'mv <(mkcodecache_exec) <(mkcodecache_u_exec) && paxmark.sh m <(mkcodecache_u_exec)',
++              ],
++            },
++            {
+               'action_name': 'run_mkcodecache',
+               'process_outputs_as_sources': 1,
+               'inputs': [
+-                '<(mkcodecache_exec)',
++                '<(mkcodecache_u_exec)',
+               ],
+               'outputs': [
+                 '<(SHARED_INTERMEDIATE_DIR)/node_code_cache.cc',
+@@ -461,10 +477,24 @@
+           ],
+           'actions': [
+             {
++              'action_name': 'run_pax_mksnapshot',
++              'inputs': [
++                '<(node_mksnapshot_exec)',
++              ],
++              'outputs': [
++                '<(node_mksnapshot_u_exec)',
++              ],
++              'action': [
++                'bash',
++                '-c',
++                'mv <(node_mksnapshot_exec) <(node_mksnapshot_u_exec) && paxmark.sh m <(node_mksnapshot_u_exec)',
++              ],
++            },
++            {
+               'action_name': 'node_mksnapshot',
+               'process_outputs_as_sources': 1,
+               'inputs': [
+-                '<(node_mksnapshot_exec)',
++                '<(node_mksnapshot_u_exec)',
+               ],
+               'outputs': [
+                 '<(SHARED_INTERMEDIATE_DIR)/node_snapshot.cc',
diff --git a/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch b/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch
new file mode 100644
index 000000000000..8dbf5f43d486
--- /dev/null
+++ b/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch
@@ -0,0 +1,111 @@
+    Bug: 694100
+    Add actions for pax marking mkcodecache, node_mksnapshot and mksnapshot
+    to disable mprotect for pax enable kernel.
+    Reported-by: Attila Tóth <atoth@atoth.sote.hu>
+    Co-developed-by: Attila Tóth <atoth@atoth.sote.hu>
+    Signed-off-by: Magnus Granberg <zorry@gentoo.org>
+
+--- a/node.gyp	2019-10-23 11:52:41.000000000 +0200
++++ b/node.gyp	2019-11-12 20:58:43.957881862 +0100
+@@ -233,7 +233,9 @@
+       'deps/acorn-plugins/acorn-static-class-features/index.js',
+     ],
+     'node_mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot<(EXECUTABLE_SUFFIX)',
++    'node_mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot_u<(EXECUTABLE_SUFFIX)',
+     'mkcodecache_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache<(EXECUTABLE_SUFFIX)',
++    'mkcodecache_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache_u<(EXECUTABLE_SUFFIX)',
+     'conditions': [
+       [ 'node_shared=="true"', {
+         'node_target_type%': 'shared_library',
+@@ -436,10 +438,24 @@
+           ],
+           'actions': [
+             {
++              'action_name': 'run_pax_mkcodecache',
++              'inputs': [
++                '<(mkcodecache_exec)',
++              ],
++              'outputs': [
++                '<(mkcodecache_u_exec)',
++              ],
++              'action': [
++                'bash',
++                '-c',
++                'mv <(mkcodecache_exec) <(mkcodecache_u_exec) && paxmark.sh m <(mkcodecache_u_exec)',
++              ],
++            },
++            {
+               'action_name': 'run_mkcodecache',
+               'process_outputs_as_sources': 1,
+               'inputs': [
+-                '<(mkcodecache_exec)',
++                '<(mkcodecache_u_exec)',
+               ],
+               'outputs': [
+                 '<(SHARED_INTERMEDIATE_DIR)/node_code_cache.cc',
+@@ -461,10 +477,24 @@
+           ],
+           'actions': [
+             {
++              'action_name': 'run_pax_mksnapshot',
++              'inputs': [
++                '<(node_mksnapshot_exec)',
++              ],
++              'outputs': [
++                '<(node_mksnapshot_u_exec)',
++              ],
++              'action': [
++                'bash',
++                '-c',
++                'mv <(node_mksnapshot_exec) <(node_mksnapshot_u_exec) && paxmark.sh m <(node_mksnapshot_u_exec)',
++              ],
++            },
++            {
+               'action_name': 'node_mksnapshot',
+               'process_outputs_as_sources': 1,
+               'inputs': [
+-                '<(node_mksnapshot_exec)',
++                '<(node_mksnapshot_u_exec)',
+               ],
+               'outputs': [
+                 '<(SHARED_INTERMEDIATE_DIR)/node_snapshot.cc',
+--- a/tools/v8_gypfiles/v8.gyp	2019-12-03 16:10:36.000000000 +0100
++++ b/tools/v8_gypfiles/v8.gyp	2019-12-17 18:37:33.695839254 +0100
+@@ -9,6 +9,7 @@
+     'v8_vector_stores%': 0,
+     'v8_embed_script%': "",
+     'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)',
++    'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)',
+     'v8_os_page_size%': 0,
+     'generate_bytecode_output_root': '<(SHARED_INTERMEDIATE_DIR)/generate-bytecode-output-root',
+     'generate_bytecode_builtins_list_output': '<(generate_bytecode_output_root)/builtins-generated/bytecodes-builtins-list.h',
+@@ -427,6 +425,20 @@
+       },
+       'actions': [
+         {
++          'action_name': 'run_pax_mksnapshot',
++          'inputs': [
++            '<(mksnapshot_exec)',
++          ],
++          'outputs': [
++            '<(mksnapshot_u_exec)',
++          ],
++          'action': [
++            'bash',
++            '-c',
++            'mv <(mksnapshot_exec) <(mksnapshot_u_exec) && paxmark.sh m <(mksnapshot_u_exec)',
++          ],
++        },
++        {
+           'action_name': 'run_mksnapshot',
+           'message': 'generating: >@(_outputs)',
+           'variables': {
+@@ -442,7 +454,7 @@
+             ],
+           },
+           'inputs': [
+-            '<(mksnapshot_exec)',
++            '<(mksnapshot_u_exec)',
+           ],
+           'outputs': ["<(INTERMEDIATE_DIR)/snapshot.cc"],
+           'process_outputs_as_sources': 1,
diff --git a/net-libs/nodejs/metadata.xml b/net-libs/nodejs/metadata.xml
index 1f2cfaf97be7..f7299ab330dd 100644
--- a/net-libs/nodejs/metadata.xml
+++ b/net-libs/nodejs/metadata.xml
@@ -3,7 +3,7 @@
 <pkgmetadata>
 	<maintainer type="person">
 		<email>williamh@gentoo.org</email>
-			<name>William Hubbs</name>
+		<name>William Hubbs</name>
 	</maintainer>
 	<maintainer type="person">
 		<email>marecki@gentoo.org</email>
@@ -13,6 +13,7 @@
 	<use>
 		<flag name="inspector">Enable V8 inspector</flag>
 		<flag name="npm">Enable NPM package manager</flag>
+		<flag name="pax_kernel">Enable building under a PaX enabled kernel</flag>
 		<flag name="snapshot">Enable snapshot creation for faster startup</flag>
 		<flag name="system-icu">Use system <pkg>dev-libs/icu</pkg> instead of the bundled version</flag>
 		<flag name="system-ssl">Use system OpenSSL instead of the bundled one</flag>
diff --git a/net-libs/nodejs/nodejs-12.18.4-r1.ebuild b/net-libs/nodejs/nodejs-12.18.4-r1.ebuild
index bbdc7bd8dd9b..c606807087ac 100644
--- a/net-libs/nodejs/nodejs-12.18.4-r1.ebuild
+++ b/net-libs/nodejs/nodejs-12.18.4-r1.ebuild
@@ -4,7 +4,7 @@
 EAPI=7
 PYTHON_COMPAT=( python3_{6,7} )
 PYTHON_REQ_USE="threads(+)"
-inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils
+inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils
 
 DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
 HOMEPAGE="https://nodejs.org/"
@@ -139,6 +139,7 @@ src_configure() {
 
 src_compile() {
 	emake -C out mksnapshot
+	pax-mark m "out/${BUILDTYPE}/mksnapshot"
 	emake -C out
 }
 
@@ -146,6 +147,8 @@ src_install() {
 	local LIBDIR="${ED}/usr/$(get_libdir)"
 	default
 
+	pax-mark -m "${ED}"/usr/bin/node
+
 	# set up a symlink structure that node-gyp expects..
 	dodir /usr/include/node/deps/{v8,uv}
 	dosym . /usr/include/node/src
diff --git a/net-libs/nodejs/nodejs-12.19.1.ebuild b/net-libs/nodejs/nodejs-12.19.1.ebuild
index 613432efea39..bb763d423aa6 100644
--- a/net-libs/nodejs/nodejs-12.19.1.ebuild
+++ b/net-libs/nodejs/nodejs-12.19.1.ebuild
@@ -6,7 +6,7 @@ EAPI=7
 PYTHON_COMPAT=( python3_{6..8} )
 PYTHON_REQ_USE="threads(+)"
 
-inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils
+inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils
 
 DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
 HOMEPAGE="https://nodejs.org/"
@@ -141,6 +141,7 @@ src_configure() {
 
 src_compile() {
 	emake -C out mksnapshot
+	pax-mark m "out/${BUILDTYPE}/mksnapshot"
 	emake -C out
 }
 
@@ -148,6 +149,8 @@ src_install() {
 	local LIBDIR="${ED}/usr/$(get_libdir)"
 	default
 
+	pax-mark -m "${ED}"/usr/bin/node
+
 	# set up a symlink structure that node-gyp expects..
 	dodir /usr/include/node/deps/{v8,uv}
 	dosym . /usr/include/node/src
diff --git a/net-libs/nodejs/nodejs-14.2.0.ebuild b/net-libs/nodejs/nodejs-14.2.0.ebuild
index 4b3509f8db3a..47e27f908894 100644
--- a/net-libs/nodejs/nodejs-14.2.0.ebuild
+++ b/net-libs/nodejs/nodejs-14.2.0.ebuild
@@ -4,7 +4,7 @@
 EAPI=7
 PYTHON_COMPAT=( python3_{6,7,8} )
 PYTHON_REQ_USE="threads(+)"
-inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils
+inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils
 
 DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
 HOMEPAGE="https://nodejs.org/"
@@ -15,7 +15,7 @@ SRC_URI="
 LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT"
 SLOT="0"
 KEYWORDS="ppc"
-IUSE="cpu_flags_x86_sse2 debug doc icu inspector +npm +snapshot +ssl +system-ssl systemtap test"
+IUSE="cpu_flags_x86_sse2 debug doc icu inspector +npm pax_kernel +snapshot +ssl +system-ssl systemtap test"
 REQUIRED_USE="
 	inspector? ( icu ssl )
 	npm? ( ssl )
@@ -35,6 +35,7 @@ BDEPEND="
 	sys-apps/coreutils
 	systemtap? ( dev-util/systemtap )
 	test? ( net-misc/curl )
+	pax_kernel? ( sys-apps/elfix )
 "
 DEPEND="
 	${RDEPEND}
@@ -88,6 +89,9 @@ src_prepare() {
 		BUILDTYPE=Debug
 	fi
 
+	# We need to disable mprotect on two files when it builds Bug 694100.
+	use pax_kernel && PATCHES+=( "${FILESDIR}"/${PN}-13.8.0-paxmarking.patch )
+
 	default
 }
 
@@ -137,6 +141,8 @@ src_install() {
 	local LIBDIR="${ED}/usr/$(get_libdir)"
 	default
 
+	pax-mark -m "${ED}"/usr/bin/node
+
 	# set up a symlink structure that node-gyp expects..
 	dodir /usr/include/node/deps/{v8,uv}
 	dosym . /usr/include/node/src
diff --git a/net-libs/nodejs/nodejs-99999999.ebuild b/net-libs/nodejs/nodejs-99999999.ebuild
index 65d30862d4c6..e7a2c7c7eb93 100644
--- a/net-libs/nodejs/nodejs-99999999.ebuild
+++ b/net-libs/nodejs/nodejs-99999999.ebuild
@@ -4,7 +4,7 @@
 EAPI=7
 PYTHON_COMPAT=( python3_{6,7,8} )
 PYTHON_REQ_USE="threads(+)"
-inherit bash-completion-r1 flag-o-matic git-r3 python-any-r1 toolchain-funcs xdg-utils
+inherit bash-completion-r1 flag-o-matic git-r3 pax-utils python-any-r1 toolchain-funcs xdg-utils
 
 DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine"
 HOMEPAGE="https://nodejs.org/"
@@ -13,7 +13,7 @@ EGIT_REPO_URI="https://github.com/nodejs/node"
 LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT"
 SLOT="0"
 KEYWORDS=""
-IUSE="cpu_flags_x86_sse2 debug doc +icu inspector +npm +snapshot +ssl +system-ssl systemtap test"
+IUSE="cpu_flags_x86_sse2 debug doc +icu inspector +npm pax_kernel +snapshot +ssl +system-ssl systemtap test"
 RESTRICT="!test? ( test )"
 REQUIRED_USE="
 	inspector? ( icu ssl )
@@ -35,6 +35,7 @@ BDEPEND="
 	sys-apps/coreutils
 	systemtap? ( dev-util/systemtap )
 	test? ( net-misc/curl )
+	pax_kernel? ( sys-apps/elfix )
 "
 DEPEND="
 	${RDEPEND}
@@ -83,6 +84,9 @@ src_prepare() {
 		BUILDTYPE=Debug
 	fi
 
+	# We need to disable mprotect on two files when it builds Bug 694100.
+	use pax_kernel && PATCHES+=( "${FILESDIR}"/${PN}-13.2.0-paxmarking.patch )
+
 	default
 }
 
@@ -136,6 +140,8 @@ src_install() {
 	local LIBDIR="${ED}/usr/$(get_libdir)"
 	default
 
+	pax-mark -m "${ED}"/usr/bin/node
+
 	# set up a symlink structure that node-gyp expects..
 	dodir /usr/include/node/deps/{v8,uv}
 	dosym . /usr/include/node/src