fix paxmark on non-linux (a bug in grsecurity PR #1187)

pkgs/stdenv/generic/builder.sh

@@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
     -e "s^@gcc@^$gcc^g" \
     -e "s^@shell@^$shell^g" \
+    -e "s^@needsPax@^$needsPax^g" \
     < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
 

pkgs/stdenv/generic/default.nix

@@ -31,11 +31,19 @@ let
       builder = shell;
 
       args = ["-e" ./builder.sh];
+      /* TODO: special-cased @var@ substitutions are ugly.
+          However, using substituteAll* from setup.sh seems difficult,
+          as setup.sh can't be directly sourced.
+          Suggestion: split similar utility functions into a separate script.
+      */
 
       setup = setupScript;
 
       inherit preHook initialPath gcc shell;
 
+      # Whether we should run paxctl to pax-mark binaries
+      needsPax = result.isLinux && !skipPaxMarking;
+
       propagatedUserEnvPkgs = [gcc] ++
         lib.filter lib.isDerivation initialPath;
 
@@ -159,9 +167,6 @@ let
            || system == "armv6l-linux"
            || system == "armv7l-linux";
 
-      # Whether we should run paxctl to pax-mark binaries
-      needsPax = isLinux && !skipPaxMarking;
-
       # For convenience, bring in the library functions in lib/ so
       # packages don't have to do that themselves.
       inherit lib;