Initial import

20 files changed, 835 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..9c6bee7db6bf
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,49 @@
+pkgbase = linux-pax-flags
+	pkgdesc = Deactivates PaX flags for several binaries to work with PaX enabled kernels.
+	pkgver = 2.0.16
+	pkgrel = 4
+	url = https://github.com/nning/linux-pax-flags
+	arch = any
+	license = GPL3
+	depends = ruby
+	depends = paxctl
+	optdepends = sudo: Run as root automatically.
+	source = linux-pax-flags.sh
+	source = linux-pax-flags.rb
+	source = linux-pax-flags.8
+	source = android.conf
+	source = browsers.conf
+	source = clamav.conf
+	source = games.conf
+	source = imagemagick.conf
+	source = java.conf
+	source = kde.conf
+	source = polkit.conf
+	source = qemu.conf
+	source = ruby.conf
+	source = simple.conf
+	source = skype.conf
+	source = steam.conf
+	source = valgrind.conf
+	source = wine.conf
+	sha256sums = 8581506830903ffcbb0876e4380d660ff044d9805d68f1432753c5bb99dc0db9
+	sha256sums = 4eaab9347a35c39f13e23866da943b21e4e26bc882b066ef504e4374d9a79311
+	sha256sums = 2020957abcd75d71b7f7dcca49eb3ff5f655eb69a306159eaf2e7d3a60c1ad5c
+	sha256sums = 29d27cf02b1683ed1017775c24476ec7cfcec3d69d2b2d4fd0263252ef01ce46
+	sha256sums = 5f81411fd2e7c15ceed6d04eb1a38bdcf6117b401e180c64b463e6d63e55827b
+	sha256sums = bb87f4dce8e20f2ce601bdcb888dd688d8f0e9d0ab367e09c8081daffa15b03a
+	sha256sums = c0b7b6c71490ba3a446db31598b78a8ccb1130f7fa181edb38aa022d9aa1076f
+	sha256sums = 7dc92a303004c9d74a1fe4d40d75105a703366ade8b2b459b0aae8d6f8b62ed0
+	sha256sums = 71afe786955d149fe216ff1a60348562914a6820d3b7f9dc42aa44913062b04e
+	sha256sums = 01ddeec77c605e1d3aa00a1fdc4c3537989468ab78da5f37b893cdbcfe34176c
+	sha256sums = 1f205fddfb427a696fb00221a3007453e25fbbf180ea026c264d23eeac9e1870
+	sha256sums = 2736d0ef20d0127c34e132db38d8993dee3062ba0ac0cdf8d444a8d3665698b8
+	sha256sums = e5562d68df885c5ceeb51709fc57c86d7b2c7849b9d99f828a77228878e25d71
+	sha256sums = ea10930e4b20064f104a476958b2f794d6220ac8a1c39b8f3105f7914c61d9f9
+	sha256sums = 459925589cc1c7b3c4e548c0ab30ae8c8780d093d6ff2bfc3c27e9712b032c9e
+	sha256sums = 561ec088f1408e35046ad6d5ef6eac0ede40f97e0a6cc28b470a19c611c970b2
+	sha256sums = ea003c4201745cd0c4bcf5cec5ca2d0a79cc6b1b04ceaa276ace0ad0287b8c50
+	sha256sums = d78fe0a02b5801c70e3d64045b12c3cbee358689da9082d71003b1cffda73ee3
+
+pkgname = linux-pax-flags
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..e0183cb019fe
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,57 @@
+# Contributors:
+#   henning mueller <henning@orgizm.net>
+#   Ahmad24, duncant, echoblack, niki, ShadowKyogre, s1gma, test0
+#
+# Find this package in the AUR:
+#   https://aur.archlinux.org/packages/linux-pax-flags
+#
+# Please report bugs and new flags on GitHub:
+#   https://github.com/nning/linux-pax-flags
+#
+
+pkgname=linux-pax-flags
+pkgdesc='Deactivates PaX flags for several binaries to work with PaX enabled kernels.'
+pkgver=2.0.16
+pkgrel=4
+arch=(any)
+url='https://github.com/nning/linux-pax-flags'
+license=(GPL3)
+depends=(ruby paxctl)
+optdepends=('sudo: Run as root automatically.')
+source=(
+  $pkgname.sh $pkgname.rb $pkgname.8
+  android.conf browsers.conf clamav.conf games.conf imagemagick.conf java.conf
+  kde.conf polkit.conf qemu.conf ruby.conf simple.conf skype.conf steam.conf
+  valgrind.conf wine.conf
+)
+
+package() {
+  install -D -m755 $srcdir/$pkgname.sh $pkgdir/usr/bin/$pkgname
+  install -D -m755 $srcdir/$pkgname.rb $pkgdir/usr/bin/$pkgname.rb
+  install -D -m644 $srcdir/$pkgname.8  $pkgdir/usr/share/man/man8/$pkgname.8
+
+  for config in $srcdir/*.conf; do
+    install -D -m600 $config $pkgdir/usr/share/$pkgname/$(basename $config)
+  done
+
+  mkdir -p $pkgdir/etc/pax-flags
+}
+
+sha256sums=('8581506830903ffcbb0876e4380d660ff044d9805d68f1432753c5bb99dc0db9'
+            '4eaab9347a35c39f13e23866da943b21e4e26bc882b066ef504e4374d9a79311'
+            '2020957abcd75d71b7f7dcca49eb3ff5f655eb69a306159eaf2e7d3a60c1ad5c'
+            '29d27cf02b1683ed1017775c24476ec7cfcec3d69d2b2d4fd0263252ef01ce46'
+            '5f81411fd2e7c15ceed6d04eb1a38bdcf6117b401e180c64b463e6d63e55827b'
+            'bb87f4dce8e20f2ce601bdcb888dd688d8f0e9d0ab367e09c8081daffa15b03a'
+            'c0b7b6c71490ba3a446db31598b78a8ccb1130f7fa181edb38aa022d9aa1076f'
+            '7dc92a303004c9d74a1fe4d40d75105a703366ade8b2b459b0aae8d6f8b62ed0'
+            '71afe786955d149fe216ff1a60348562914a6820d3b7f9dc42aa44913062b04e'
+            '01ddeec77c605e1d3aa00a1fdc4c3537989468ab78da5f37b893cdbcfe34176c'
+            '1f205fddfb427a696fb00221a3007453e25fbbf180ea026c264d23eeac9e1870'
+            '2736d0ef20d0127c34e132db38d8993dee3062ba0ac0cdf8d444a8d3665698b8'
+            'e5562d68df885c5ceeb51709fc57c86d7b2c7849b9d99f828a77228878e25d71'
+            'ea10930e4b20064f104a476958b2f794d6220ac8a1c39b8f3105f7914c61d9f9'
+            '459925589cc1c7b3c4e548c0ab30ae8c8780d093d6ff2bfc3c27e9712b032c9e'
+            '561ec088f1408e35046ad6d5ef6eac0ede40f97e0a6cc28b470a19c611c970b2'
+            'ea003c4201745cd0c4bcf5cec5ca2d0a79cc6b1b04ceaa276ace0ad0287b8c50'
+            'd78fe0a02b5801c70e3d64045b12c3cbee358689da9082d71003b1cffda73ee3')
diff --git a/android.conf b/android.conf
new file mode 100644
index 000000000000..a37e62f1daab
--- /dev/null
+++ b/android.conf
@@ -0,0 +1,12 @@
+# MPROTECT off
+PSmXER:
+	- /opt/android-sdk/tools/emulator-arm
+	- /opt/android-sdk/tools/emulator-mips
+	- /opt/android-sdk/tools/emulator-x86
+	- /opt/android-sdk/tools/emulator64-arm
+	- /opt/android-sdk/tools/emulator64-mips
+	- /opt/android-sdk/tools/emulator64-x86
+	- /opt/android-sdk/platform-tools/adb:
+		status: "pidof adb"
+		start: "adb start-server"
+		stop: "adb kill-server"
diff --git a/browsers.conf b/browsers.conf
new file mode 100644
index 000000000000..b44c2d582655
--- /dev/null
+++ b/browsers.conf
@@ -0,0 +1,15 @@
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- ~/.tor-browser-??/INSTALL/Browser/firefox
+	- ~/.tor-browser-??/INSTALL/Browser/plugin-container
+	- /usr/bin/elinks
+	- /usr/bin/qupzilla
+	- /usr/lib/chromium/chromium
+	- /usr/lib/firefox/firefox
+	- /usr/lib/firefox/plugin-container
+	- /usr/lib/opera/opera
+	- /usr/lib/opera/pluginwrapper/operapluginwrapper-native
+
+# MPROTECT off
+PSmXER:
+	- /usr/bin/midori
diff --git a/clamav.conf b/clamav.conf
new file mode 100644
index 000000000000..7cb614bcaddd
--- /dev/null
+++ b/clamav.conf
@@ -0,0 +1,6 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/clamscan
+	- /usr/bin/freshclam
+	- /usr/sbin/clamd:
+		type: systemd
diff --git a/games.conf b/games.conf
new file mode 100644
index 000000000000..97588668d81f
--- /dev/null
+++ b/games.conf
@@ -0,0 +1,31 @@
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/bin/hwengine
+	- /usr/bin/pyrogenesis
+
+# PAGEEXEC and MPROTECT off
+pSmXER:
+	- /opt/Osmos/Osmos.bin*
+	- /usr/share/worldofgoo/WorldOfGoo.bin*
+
+# MPROTECT off
+PSmXER:
+	- /opt/Braid/braid
+	- /opt/doom3/doom.x86
+	- /opt/enemy-territory/et.x86
+	- /opt/games/Bastion/Bastion.bin.x86*
+	- /opt/quake3/ioquake3.i386
+	- /opt/quake3/ioquake3.x86_64
+	- /opt/quake4/q4ded.x86
+	- /opt/quake4/quake4.x86
+	- /opt/quake4/quake4smp.x86
+	- /opt/Rochard/Rochard
+	- /opt/Torchlight/Torchlight.bin.x86*
+	- /opt/wine-silverlight/bin/wine-preloader
+	- /usr/bin/bzflag
+	- /usr/bin/minetest
+	- /usr/bin/opencity
+	- /usr/share/darwinia/darwinia.bin.x86*
+	- /usr/share/legend-of-grimrock/Grimrock.bin.x86*
+	- /usr/share/games/amnesia-tdd/Amnesia.bin*
+	- /usr/share/games/amnesia-tdd/Launcher.bin*
diff --git a/imagemagick.conf b/imagemagick.conf
new file mode 100644
index 000000000000..a2201a754c2a
--- /dev/null
+++ b/imagemagick.conf
@@ -0,0 +1,13 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/animate
+	- /usr/bin/compare
+	- /usr/bin/composite
+	- /usr/bin/conjure
+	- /usr/bin/convert
+	- /usr/bin/display
+	- /usr/bin/identify
+	- /usr/bin/import
+	- /usr/bin/mogrify
+	- /usr/bin/montage
+	- /usr/bin/stream
diff --git a/java.conf b/java.conf
new file mode 100644
index 000000000000..7c10aa16e8ba
--- /dev/null
+++ b/java.conf
@@ -0,0 +1,13 @@
+# All off :(
+psmxer:
+	- /opt/java/bin/java
+	- /opt/java/bin/javac
+	- /usr/lib/jvm/java-6-openjdk/bin/java
+	- /usr/lib/jvm/java-6-openjdk/bin/javac
+	- /usr/lib/jvm/java-6-openjdk/jre/bin/java
+	- /usr/lib/jvm/java-7-openjdk/bin/javac
+	- /usr/lib/jvm/java-7-openjdk/jre/bin/java
+
+# MPROTECT off
+PSmXER:
+	- /usr/lib/jvm/java-7-openjdk/bin/jar
diff --git a/kde.conf b/kde.conf
new file mode 100644
index 000000000000..09c03cc514af
--- /dev/null
+++ b/kde.conf
@@ -0,0 +1,22 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/akonadi_sendlater_agent
+	- /usr/bin/akonadi_archivemail_agent
+	- /usr/bin/akonadi_mailfilter_agent
+	- /usr/bin/akonadiconsole
+	- /usr/bin/akregator
+	- /usr/bin/blogilo
+	- /usr/bin/kdeinit4
+	- /usr/bin/kdenlive
+	- /usr/bin/kmail
+	- /usr/bin/knode
+	- /usr/bin/knotify4
+	- /usr/bin/kontact
+	- /usr/bin/kwin
+	- /usr/bin/okular
+	- /usr/lib/kde4/libexec/drkonqi
+	- /usr/lib/kde4/libexec/kwin_opengl_test
+
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/lib/kde4/libexec/kscreenlocker_greet
diff --git a/linux-pax-flags.8 b/linux-pax-flags.8
new file mode 100644
index 000000000000..72b0107c8b8b
--- /dev/null
+++ b/linux-pax-flags.8
@@ -0,0 +1,112 @@
+.TH linux-pax-flags 8 "" 2013-02-18
+.SH NAME
+\fBlinux-pax-flags\fR \- Configure PaX flags for several binaries
+.SH SYNOPSIS
+\fBlinux-pax-flags\fR [options] [filter]
+.SH DESCRIPTION
+\fBlinux-pax-flags\fR is written to configure PaX flags for a set of binaries.
+It is intended to ease the usage of PaX (linux-pax) or grsecurity (linux-grsec,
+linux-grsec-lts) enabled kernel on Arch Linux.
+.P
+PaX flags for a set of binaries are collected in YAML format configuration
+files. By default, every .conf file from /etc/pax-flags and
+/usr/share/linux-pax-flags is read. See the CONFIGURATION section for the file
+format.
+.P
+Root privileges are needed. If you set a value to $PAX_FLAGS_SUDO,
+\fBlinux-pax-flags\fR will be called with sudo.
+.SH OPTIONS
+.TP
+\-c, \-\-config  <path>
+Override default configuration paths. Requires one path argument. Can contain
+globs (escape them in some shells (zsh for example)).
+.TP
+\-h, \-\-help
+Displays a short usage message and option summary.
+.TP
+\-p, \-\-prepend
+Do not actually change anything.
+.TP
+\-x, \-\-xattr
+Sets the PaX flags through setfattr, underlying filesystems need xattr support.
+.TP
+\-y, \-\-yes
+Non-interactive mode. Assume yes on any question.
+.SH FILES
+.TP
+/etc/pax-flags/*.conf
+Files for overriding the standard flag set and path pattern configuration.
+.TP
+/usr/share/linux-pax-flags/*.conf
+The shipped configuration.
+.SH CONFIGURATION
+There are \fBsimple\fR configuration entries and \fBcomplex\fR ones. Complex
+configuration for a certain flag set and path pattern overrides simple. To
+override a simple entry with a complex one, the flag sets and path patterns have
+to match exactly.
+.SS "Simple entries"
+Simple configuration entries just set the PaX flags for a set of binaries. The
+format is as follows:
+.P
+PSmXER:
+.br
+  \- /usr/bin/ruby
+  \- /usr/bin/glx*
+.P
+\fBPSmXER\fR is the set of flags. Every letter represents a PaX flag. Uppercase
+enables the flag, lowercase disables it. See paxctl(1) for more details. This
+example disables MPROTECT on /usr/bin/ruby and /usr/bin/glx*.
+.SS "Complex entries"
+With complex entries it is possible to stop a daemon before setting the flags
+and starting it afterwards. The format is as follows:
+.P
+PSmXER:
+.br
+  \- /usr/sbin/clamd:
+    type: systemd
+.P
+This would stop clamd, disable MPROTECT for the binary and start the daemon
+again. The \fBtype\fR option values correspond to presets of status, start, stop
+actions. Currently there exists only "systemd". By default the systemd unit file
+would be "clamd" in this case or the basename of the path in general.
+.P
+PSmXEr:
+.br
+  \- /usr/lib/polkit-1/polkitd:
+    type: systemd
+    systemd_name: polkit
+.P
+The \fBsystemd_name\fR option can be used to configure a differing systemd unit
+name.
+.P
+PSmXEr:
+.br
+  \- /usr/lib/firefox/firefox:
+    status: "pidof firefox"
+    start: "firefox &"
+    stop: "killall firefox"
+.P
+This would configure custom actions for \fBstatus\fR, \fBstart\fR and
+\fBstop\fR.
+.P
+PSmXER:
+.br
+  \- /usr/bin/ruby:
+    skip: true
+.P
+This would override a simple entry for the same flag set and path pattern and
+cause it to be skipped.
+.P
+PSmXER:
+.br
+  \- /usr/lib32/skype/skype:
+    header: create
+.P
+This would cause paxctl to not convert the old binary header, but create a new
+one. See paxctl(1) for more details.
+.SH AUTHOR
+henning mueller <henning@orgizm.net>
+.SH SEE ALSO
+\- paxctl(1)
+.br
+\- http://www.yaml.org
diff --git a/linux-pax-flags.rb b/linux-pax-flags.rb
new file mode 100755
index 000000000000..d5c00c9483a0
--- /dev/null
+++ b/linux-pax-flags.rb
@@ -0,0 +1,278 @@
+#!/usr/bin/env ruby
+
+require 'getoptlong'
+require 'readline'
+require 'singleton'
+require 'yaml'
+
+# Monkey-path the Array class.
+class Array
+  # ["foo", {"foo" => 1}].cleanup => [{"foo" => 1}]
+  # If the key in a Hash element of an Array is also present as an element of
+  # the Array, delete the latter.
+  def cleanup
+    array = self.dup
+    self.grep(Hash).map(&:keys).flatten.each do |x|
+      array.delete x
+    end
+    array
+  end
+end
+
+# Class handles configuration parameters.
+class FlagsConfig < Hash
+  # This is a singleton class.
+  include Singleton
+
+  # Merges a Hash or YAML file (containing a Hash) with itself.
+  def load config
+    if config.class == Hash
+      merge! config
+      return
+    end
+
+    unless config.nil?
+      merge_yaml! config
+    end
+  end
+
+  # Merge Config Hash with Hash in YAML file.
+  def merge_yaml! path
+    merge!(load_file path) do |key, old, new|
+      (old + new).uniq.cleanup if old.is_a? Array and new.is_a? Array
+    end
+  end
+
+  # Load YAML file and work around tabs not working for identation.
+  def load_file path
+    YAML.load open(path).read.gsub(/\t/, '   ')
+  rescue Psych::SyntaxError => e
+    print path, ':', e.message.split(':').last, "\n"
+    exit 1
+  end
+end
+
+# A method to print a beautiful usage message.
+def usage
+  $stderr.puts <<EOF
+#{File.basename($0)} [options] [filters]
+
+  OPTIONS
+
+    -c, --config     Override default configuration paths. Requires one
+                     argument. Can contain globs (escape them in some shells
+                     (zsh for example)). 
+    -h, --help       This help.
+    -p, --prepend    Do not change anything.
+    -y, --yes        Non-interactive mode. Assume yes on questions.
+    -x, --xattr      Sets the PaX flags through setfattr, underlying
+                     filesystems need xattr support.
+
+  FILTERS
+
+    Only change flags for paths, which contain one of these filters as a string.
+
+EOF
+  exit 1
+end
+
+# This iterates each config entry (which matches the filters). It yields flags,
+# entry, pattern and path of the config entry to the block code.
+def each_entry config, filters
+  config.each do |flags, entries|
+    entries.each do |entry|
+      # Distinguish easy (String) and complex (Hash) config entries.
+      if entry.is_a? String
+        pattern = entry
+      elsif entry.is_a? Hash
+        pattern = entry.keys.first
+      end
+
+      # Skip this entry, if its path pattern does not contain one of the
+      # filters.
+      # TODO Do this for every matching path.
+      unless filters.empty?
+        temp_filters = filters.dup
+        temp_filters.keep_if do |filter|
+          pattern.downcase.include? filter.downcase
+        end
+        next if temp_filters.empty?
+      end
+
+      # If this runs with sudo, the ~ (for the users home path) have to point to
+      # the user who runs it, not to root.
+      unless ENV['SUDO_USER'].nil?
+        paths = File.expand_path pattern.gsub('~', '~' + ENV['SUDO_USER'])
+      else
+        paths = File.expand_path pattern
+      end
+
+      # Now yield for every matching path.
+      Dir.glob(paths).each do |path|
+        yield flags, entry, pattern, path
+      end
+    end
+  end
+end
+
+# Trap SIGINT (ctrl+c)
+trap(:INT) { exit 1 }
+
+# Define the possible options.
+options = GetoptLong.new(
+  ['--config',  '-c', GetoptLong::REQUIRED_ARGUMENT],
+  ['--help',    '-h', GetoptLong::NO_ARGUMENT],
+  ['--prepend', '-p', GetoptLong::NO_ARGUMENT],
+  ['--xattr',   '-x', GetoptLong::NO_ARGUMENT],
+  ['--yes',     '-y', GetoptLong::NO_ARGUMENT],
+)
+
+# Initialize option variables.
+new_configs = []
+prepend = false
+yes = false
+xattr = false
+
+# Set option variables.
+begin
+  options.each do |option, argument|
+    case option
+      when '--config'
+        new_configs = Dir.glob argument
+      when '--help'
+        usage
+      when '--prepend'
+        prepend = true
+      when '--xattr'
+        xattr = true
+      when '--yes'
+        yes = true
+    end
+  end
+rescue GetoptLong::InvalidOption => e
+  usage
+end
+
+# Whatever is left over is a filter.
+filters = ARGV
+
+# Exit if we are not running with root privileges.
+if Process.uid != 0
+  $stderr << "Root privileges needed.\n"
+  exit 1
+end
+
+# Either default config paths or overridden ones.
+config_paths = if new_configs.empty?
+  ['/etc/pax-flags/*.conf', '/usr/share/linux-pax-flags/*.conf']
+else
+  new_configs
+end
+
+# Initialize the singleton config object...
+config = FlagsConfig.instance
+
+# ... and load every config file.
+config_paths.each do |path|
+  Dir.glob(path).each do |file|
+    config.load file
+  end
+end
+
+# Helper text for simple entries.
+puts <<EOF
+Some programs do not work properly without deactivating some of the PaX
+features. Please close all instances of them if you want to change the
+configuration for the following binaries.
+EOF
+
+# Show every simple entry.
+each_entry config, filters do |flags, entry, pattern, path|
+  puts ' * ' + path if File.exists? path and entry.is_a? String
+end
+
+# Let us sum up the complex entries...
+autopaths = []
+each_entry config, filters do |flags, entry, pattern, path|
+  if File.exists? path and entry.is_a? Hash
+    autopaths.push path if not (entry.nil? and entry[path]['skip'])
+  end
+end
+
+# ... to decide, if we need to print them.
+unless autopaths.empty?
+  puts <<EOF
+
+For the following programs there are also changes neccessary but you do not have
+to close or restart instances of them manually.
+EOF
+
+  autopaths.each do |path|
+    puts ' * ' + path
+  end
+end
+
+puts
+puts 'Continue writing PaX headers? [Y/n]'
+
+$stdout.flush
+
+unless yes
+  a = Readline.readline.chomp.downcase
+  exit 1 if a.downcase != 'y' unless a.empty?
+end
+
+# Iterate each entry to actually set the flags.
+each_entry config, filters do |flags, entry, pattern, path|
+  if File.exists? path
+    e = entry[pattern]
+    actions = %w(status start stop)
+    start_again = false
+
+    # Get action commands from entries config.
+    status = e['status']
+    start  = e['start']
+    stop   = e['stop']
+
+    # If the type attribute is set to systemd, we set the action command
+    # variables again but to systemd defaults.
+    if e['type'] == 'systemd'
+      name = e['systemd_name'] || File.basename(path)
+      actions.each do |action|
+        eval "#{action} = \"systemctl #{action} #{name}.service\""
+      end
+    end
+
+    # If the entry is complex, stop it if it is running.
+    if entry.is_a? Hash
+      if status and system(status + '> /dev/null')
+        system stop unless prepend
+        start_again = true if start
+      end
+    end
+
+    if xattr
+      # setfattr seems to be picky about the order of the flags,
+      # rearrange it beforehand
+      xflags = flags[/[Pp]/] + flags[/[Ee]/] + flags[/[Mm]/] +
+               flags[/[Rr]/] + flags[/[Ss]/]
+      print xflags, ' ', path, "\n"
+    else
+      print flags, ' ', path, "\n"
+    end
+
+    # Set the flags and notify the user.
+    unless prepend
+      if xattr
+        `setfattr -n user.pax.flags -v #{xflags} "#{path}"`
+      else
+        header = 'c'
+        header = 'C' if e['header'] == 'create'
+        `paxctl -#{header}#{flags} "#{path}"`
+      end
+    end
+
+    # Start the complex entries service again, if it is neccessary.
+    system start unless prepend if start_again
+  end
+end
diff --git a/linux-pax-flags.sh b/linux-pax-flags.sh
new file mode 100755
index 000000000000..612f6cf93381
--- /dev/null
+++ b/linux-pax-flags.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+ruby=$(which ruby)
+
+[ -z $PAX_FLAGS_SUDO ] && sudo='' || sudo='sudo'
+
+[ "$(paxctl -v $ruby 2>/dev/null)" ] || {
+	$sudo paxctl -cm $ruby
+}
+
+$sudo systemctl --system daemon-reload
+
+$sudo linux-pax-flags.rb $@
diff --git a/polkit.conf b/polkit.conf
new file mode 100644
index 000000000000..5a97136d255d
--- /dev/null
+++ b/polkit.conf
@@ -0,0 +1,5 @@
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/lib/polkit-1/polkitd:
+		type: systemd
+		systemd_name: polkit
diff --git a/qemu.conf b/qemu.conf
new file mode 100644
index 000000000000..428d2928b009
--- /dev/null
+++ b/qemu.conf
@@ -0,0 +1,51 @@
+# SEGMEXEC and MPROTECT off
+# (RANDEXEC is not activatable for qemu. The binaries seem to be compiled
+# with PIE enabled, though.)
+PsmxER:
+	- /usr/bin/qemu-alpha
+	- /usr/bin/qemu-arm
+	- /usr/bin/qemu-armeb
+	- /usr/bin/qemu-cris
+	- /usr/bin/qemu-i386
+	- /usr/bin/qemu-m68k
+	- /usr/bin/qemu-microblaze
+	- /usr/bin/qemu-microblazeel
+	- /usr/bin/qemu-mips
+	- /usr/bin/qemu-mipsel
+	- /usr/bin/qemu-ppc
+	- /usr/bin/qemu-ppc64
+	- /usr/bin/qemu-ppc64abi32
+	- /usr/bin/qemu-s390x
+	- /usr/bin/qemu-sh4
+	- /usr/bin/qemu-sh4eb
+	- /usr/bin/qemu-sparc
+	- /usr/bin/qemu-sparc32plus
+	- /usr/bin/qemu-sparc64
+	- /usr/bin/qemu-unicore32
+	- /usr/bin/qemu-x86_64
+
+# MPROTECT off
+PSmXER:
+	- /usr/bin/qemu-system-alpha
+	- /usr/bin/qemu-system-arm
+	- /usr/bin/qemu-system-cris
+	- /usr/bin/qemu-system-i386
+	- /usr/bin/qemu-system-lm32
+	- /usr/bin/qemu-system-m68k
+	- /usr/bin/qemu-system-microblaze
+	- /usr/bin/qemu-system-microblazeel
+	- /usr/bin/qemu-system-mips
+	- /usr/bin/qemu-system-mips64
+	- /usr/bin/qemu-system-mips64el
+	- /usr/bin/qemu-system-mipsel
+	- /usr/bin/qemu-system-ppc
+	- /usr/bin/qemu-system-ppc64
+	- /usr/bin/qemu-system-ppcemb
+	- /usr/bin/qemu-system-s390x
+	- /usr/bin/qemu-system-sh4
+	- /usr/bin/qemu-system-sh4eb
+	- /usr/bin/qemu-system-sparc
+	- /usr/bin/qemu-system-sparc64
+	- /usr/bin/qemu-system-x86_64
+	- /usr/bin/qemu-system-xtensa
+	- /usr/bin/qemu-system-xtensaeb
diff --git a/ruby.conf b/ruby.conf
new file mode 100644
index 000000000000..c6d976649dc0
--- /dev/null
+++ b/ruby.conf
@@ -0,0 +1,8 @@
+# MPROTECT off
+PSmXER:
+	- ~/.rbenv/versions/?.?.?{,-p*}/bin/ruby
+	- ~/.rbenv/versions/?.?.?{,-p*}/lib/ruby/gems/*/gems/capybara-webkit-*/bin/webkit_server
+	- ~/.rvm/rubies/ruby-?.?.?{,-p*}/bin/ruby
+	- ~/.rvm/gems/ruby-?.?.?{,-p*}/gems/capybara-webkit-*/bin/webkit_server
+	- /usr/bin/rbx
+	- /usr/bin/ruby
diff --git a/simple.conf b/simple.conf
new file mode 100644
index 000000000000..614e9ab3a49f
--- /dev/null
+++ b/simple.conf
@@ -0,0 +1,55 @@
+# RANDMMAP off
+PSMXEr:
+	- /usr/bin/grub-script-check
+
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/bin/gnome-shell
+	- /usr/bin/grub-bios-setup
+	- /usr/lib/gcc/x86_64-unknown-linux-gnu/*/cc1plus
+	- /usr/lib/thunderbird/thunderbird
+
+# MPROTECT off
+PSmXER:
+	- /usr/bin/blender
+	- /usr/bin/btsync
+	- /usr/bin/cabal
+	- /usr/bin/cheese
+	- /usr/bin/dolphin-emu
+	- /usr/bin/dosbox
+	- /usr/bin/epiphany
+	- /usr/bin/gendesk
+	- /usr/bin/glxdemo
+	- /usr/bin/glxgears
+	- /usr/bin/glxinfo
+	- /usr/bin/glxspheres
+	- /usr/bin/goldendict
+	- /usr/bin/gtk-query-immodules-*
+	- /usr/bin/inkscape
+	- /usr/bin/konstruktor
+	- /usr/bin/liferea
+	- /use/bin/minitube
+	- /usr/bin/mono
+	- /usr/bin/mplayer
+	- /usr/bin/mumble
+	- /usr/bin/obex-data-server
+	- /usr/bin/python2
+	- /usr/bin/scheme
+	- /usr/bin/seahorse
+	- /usr/bin/spicec
+	- /usr/bin/systemsettings
+	- /usr/bin/tcc
+	- /usr/bin/vlc
+	- /usr/lib/erlang/erts-*/bin/beam
+	- /usr/lib/erlang/erts-*/bin/beam.smp
+	- /usr/lib/ghc-*/ghc
+	- /usr/lib/libreoffice/program/soffice.bin
+	- /usr/lib/webkitgtk/WebKitWebProcess
+	- /usr/lib/xbmc/xbmc.bin
+	- /usr/sbin/grub-probe
+	- /usr/sbin/vbetool
+	- /opt/dropbox/dropbox
+
+# PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off
+pSmXer:
+	- /usr/bin/sbcl
diff --git a/skype.conf b/skype.conf
new file mode 100644
index 000000000000..8c9aca3b3fdf
--- /dev/null
+++ b/skype.conf
@@ -0,0 +1,3 @@
+PSmXER:
+	- /usr/lib*/skype/skype:
+		header: create
diff --git a/steam.conf b/steam.conf
new file mode 100644
index 000000000000..2a6d48b74aa4
--- /dev/null
+++ b/steam.conf
@@ -0,0 +1,63 @@
+# MPROTECT off
+PSmXER:
+	- ~/.steam/steam/ubuntu12_32/gameoverlayui
+	- ~/.steam/steam/ubuntu12_32/steam
+	- ~/.steam/steam/ubuntu12_32/steamwebhelper
+	- ~/.steam/steam/ubuntu12_32/streaming_client
+	- ~/.steam/steam/SteamApps/*/*/hl2_linux
+	- ~/.steam/steam/SteamApps/common/Amnesia The Dark Descent/*.bin*
+	- ~/.steam/steam/SteamApps/common/Machine for Pigs/AmnesiaAMFP.bin.x86
+	- ~/.steam/steam/SteamApps/common/Anna/Anna
+	- ~/.steam/steam/SteamApps/common/Anomaly Warzone Earth/AnomalyWarzoneEarth
+	- ~/.steam/steam/SteamApps/common/Awesomenauts/*.bin.x86
+	- ~/.steam/steam/SteamApps/common/Bastion/Linux/Bastion.bin.x86
+	- ~/.steam/steam/SteamApps/common/Broken Age/BrokenAge
+	- ~/.steam/steam/SteamApps/common/Capsized/NePlusUltra.bin.x86*
+	- ~/.steam/steam/SteamApps/common/Cave Story+/CaveStory+
+	- ~/.steam/steam/SteamApps/common/Closure/Closure.bin.x86
+	- ~/.steam/steam/SteamApps/common/Cogs/Cogs-x86
+	- ~/.steam/steam/SteamApps/common/dota 2 beta/dota_linux
+	- ~/.steam/steam/SteamApps/common/Darwinia/darwinia.bin.x86
+	- ~/.steam/steam/SteamApps/common/Dungeon Defenders/UDKGame/Binaries/DungeonDefenders-x86
+	- ~/.steam/steam/SteamApps/common/English Country Tune/English Country Tune
+	- ~/.steam/steam/SteamApps/common/FEZ/FEZ.bin.x86*
+	- ~/.steam/steam/SteamApps/common/FTL Faster Than Light/data/amd64/bin/FTL
+	- ~/.steam/steam/SteamApps/common/Gone Home/GoneHome.x86*
+	- ~/.steam/steam/SteamApps/common/Gratuitous Space Battles/GSB.bin.x86*
+	- ~/.steam/steam/SteamApps/common/Guns of Icarus Online/GunsOfIcarusOnline
+	- ~/.steam/steam/SteamApps/common/KillingFloor/System/killingfloor-bin
+	- ~/.steam/steam/SteamApps/common/Legend of Grimrock/Grimrock.bin.x86
+	- ~/.steam/steam/SteamApps/common/Little Inferno*/LittleInferno.bin.x86
+	- ~/.steam/steam/SteamApps/common/Monaco/Monaco.bin.x86
+	- ~/.steam/steam/SteamApps/common/Oil Rush/bin/launcher_x86
+	- ~/.steam/steam/SteamApps/common/Oil Rush/bin/OilRush_x86
+	- ~/.steam/steam/SteamApps/common/Osmos/Osmos.bin32
+	- ~/.steam/steam/SteamApps/common/Portal 2/portal2_linux
+	- ~/.steam/steam/SteamApps/common/Proteus/Proteus.bin.x86
+	- ~/.steam/steam/SteamApps/common/Psychonauts/Psychonauts
+	- ~/.steam/steam/SteamApps/common/red orchestra/System/redorchestra-bin
+	- ~/.steam/steam/SteamApps/common/Rochard/Rochard
+	- ~/.steam/steam/SteamApps/common/Shadowrun Returns/Shadowrun{,Editor}
+	- ~/.steam/steam/SteamApps/common/Shank 2/bin/shank2-bin
+	- ~/.steam/steam/SteamApps/common/Shatter/SettingsEditor.bin.x86
+	- ~/.steam/steam/SteamApps/common/Shatter/Shatter.bin.x86
+	- ~/.steam/steam/SteamApps/common/SpaceChem/mono
+	- ~/.steam/steam/SteamApps/common/Space Pirates and Zombies/SPAZ
+	- ~/.steam/steam/SteamApps/common/Spirits/Spirits-32
+	- ~/.steam/steam/SteamApps/common/Superbrothers Sword & Sworcery EP/bin/swordandsworcery_pc
+	- ~/.steam/steam/SteamApps/common/star conflict/StarConflict
+	- ~/.steam/steam/SteamApps/common/thomaswasalone/thomasWasAlone
+	- ~/.steam/steam/SteamApps/common/The Bards Tale/BardTale
+	- ~/.steam/steam/SteamApps/common/The Book of Unwritten Tales/bin/32/kAGE
+	- ~/.steam/steam/SteamApps/common/The Critter Chronicles/bin/32/kAGE
+	- ~/.steam/steam/SteamApps/common/The Journey Down/JourneyDown1
+	- ~/.steam/steam/SteamApps/common/The Raven/launcher*/TheRavenLauncher
+	- ~/.steam/steam/SteamApps/common/The Raven/raven/raven_game.x*
+	- ~/.steam/steam/SteamApps/common/TinyAndBig/tinyandbig
+	- ~/.steam/steam/SteamApps/common/Trine 2/bin/trine2_linux_*
+	- ~/.steam/steam/SteamApps/common/Uplink/uplink.bin.x86
+	- ~/.steam/steam/SteamApps/common/Violett/violett.x86
+	- ~/.steam/steam/SteamApps/common/Waking Mars/wakingmars/wakingmars
+	- ~/.steam/steam/SteamApps/common/World of Goo/WorldOfGoo
+	- ~/.steam/steam/SteamApps/common/Zen Bound 2/ZenBound2.bin.x86
+	- /usr/lib32/ld-2.??.so
diff --git a/valgrind.conf b/valgrind.conf
new file mode 100644
index 000000000000..6d25559aed96
--- /dev/null
+++ b/valgrind.conf
@@ -0,0 +1,25 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/valgrind
+	- /usr/lib/valgrind/cachegrind-amd64-linux
+	- /usr/lib/valgrind/cachegrind-x86-linux
+	- /usr/lib/valgrind/callgrind-amd64-linux
+	- /usr/lib/valgrind/callgrind-x86-linux
+	- /usr/lib/valgrind/drd-amd64-linux
+	- /usr/lib/valgrind/drd-x86-linux
+	- /usr/lib/valgrind/exp-bbv-amd64-linux
+	- /usr/lib/valgrind/exp-bbv-x86-linux
+	- /usr/lib/valgrind/exp-dhat-amd64-linux
+	- /usr/lib/valgrind/exp-dhat-x86-linux
+	- /usr/lib/valgrind/exp-sgcheck-amd64-linux
+	- /usr/lib/valgrind/exp-sgcheck-x86-linux
+	- /usr/lib/valgrind/helgrind-amd64-linux
+	- /usr/lib/valgrind/helgrind-x86-linux
+	- /usr/lib/valgrind/lackey-amd64-linux
+	- /usr/lib/valgrind/lackey-x86-linux
+	- /usr/lib/valgrind/massif-amd64-linux
+	- /usr/lib/valgrind/massif-x86-linux
+	- /usr/lib/valgrind/memcheck-amd64-linux
+	- /usr/lib/valgrind/memcheck-x86-linux
+	- /usr/lib/valgrind/none-amd64-linux
+	- /usr/lib/valgrind/none-x86-linux
diff --git a/wine.conf b/wine.conf
new file mode 100644
index 000000000000..77b33053d654
--- /dev/null
+++ b/wine.conf
@@ -0,0 +1,4 @@
+# All off :(
+psmxer:
+	- /usr/bin/wine-preloader
+	- /usr/bin/wine64-preloader