From 11feaef641dd00215b04a2456cc1898d024b5e9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?=
 <emulatorman@parabola.nu>
Date: Sat, 4 Jan 2014 16:16:40 -0200
Subject: pax-flags-libre: add new package to kernels repo

---
 kernels/pax-flags-libre/PKGBUILD           |  51 ++++++
 kernels/pax-flags-libre/clamav.conf        |   6 +
 kernels/pax-flags-libre/games.conf         |  15 ++
 kernels/pax-flags-libre/java.conf          |  13 ++
 kernels/pax-flags-libre/kde.conf           |  22 +++
 kernels/pax-flags-libre/pax-flags-libre.8  | 112 ++++++++++++
 kernels/pax-flags-libre/pax-flags-libre.rb | 278 +++++++++++++++++++++++++++++
 kernels/pax-flags-libre/pax-flags-libre.sh |  13 ++
 kernels/pax-flags-libre/polkit.conf        |   5 +
 kernels/pax-flags-libre/qemu.conf          |  51 ++++++
 kernels/pax-flags-libre/replicant.conf     |   8 +
 kernels/pax-flags-libre/ruby.conf          |   7 +
 kernels/pax-flags-libre/simple.conf        |  59 ++++++
 kernels/pax-flags-libre/valgrind.conf      |  25 +++
 14 files changed, 665 insertions(+)
 create mode 100644 kernels/pax-flags-libre/PKGBUILD
 create mode 100644 kernels/pax-flags-libre/clamav.conf
 create mode 100644 kernels/pax-flags-libre/games.conf
 create mode 100644 kernels/pax-flags-libre/java.conf
 create mode 100644 kernels/pax-flags-libre/kde.conf
 create mode 100644 kernels/pax-flags-libre/pax-flags-libre.8
 create mode 100755 kernels/pax-flags-libre/pax-flags-libre.rb
 create mode 100755 kernels/pax-flags-libre/pax-flags-libre.sh
 create mode 100644 kernels/pax-flags-libre/polkit.conf
 create mode 100644 kernels/pax-flags-libre/qemu.conf
 create mode 100644 kernels/pax-flags-libre/replicant.conf
 create mode 100644 kernels/pax-flags-libre/ruby.conf
 create mode 100644 kernels/pax-flags-libre/simple.conf
 create mode 100644 kernels/pax-flags-libre/valgrind.conf

diff --git a/kernels/pax-flags-libre/PKGBUILD b/kernels/pax-flags-libre/PKGBUILD
new file mode 100644
index 000000000..b36d6fa20
--- /dev/null
+++ b/kernels/pax-flags-libre/PKGBUILD
@@ -0,0 +1,51 @@
+# Contributors:
+#   henning mueller <henning@orgizm.net>
+#   Ahmad24, duncant, echoblack, niki, ShadowKyogre, s1gma, test0
+#
+# Forked libre version which blacklists nonfree software for Parabola here:
+# https://github.com/g4jc/pax-flags-libre
+#
+
+pkgname=pax-flags-libre
+pkgdesc='Deactivates PaX flags for several binaries to work with PaX enabled kernels, without nonfree software support'
+pkgver=2.0.14
+pkgrel=2
+arch=(any)
+url='https://github.com/g4jc/pax-flags-libre'
+license=(GPL3)
+depends=(ruby paxctl)
+optdepends=('sudo: Run as root automatically.')
+replaces=linux-pax-flags
+conflicts=linux-pax-flags
+provides=linux-pax-flags
+source=(
+  $pkgname.sh $pkgname.rb $pkgname.8
+  replicant.conf clamav.conf games.conf java.conf kde.conf polkit.conf qemu.conf
+  ruby.conf simple.conf valgrind.conf
+)
+
+package() {
+  install -D -m755 $srcdir/$pkgname.sh $pkgdir/usr/bin/$pkgname
+  install -D -m755 $srcdir/$pkgname.rb $pkgdir/usr/bin/$pkgname.rb
+  install -D -m644 $srcdir/$pkgname.8  $pkgdir/usr/share/man/man8/$pkgname.8
+
+  for config in $srcdir/*.conf; do
+    install -D -m600 $config $pkgdir/usr/share/$pkgname/$(basename $config)
+  done
+
+  mkdir -p $pkgdir/etc/pax-flags
+}
+
+sha256sums=('8581506830903ffcbb0876e4380d660ff044d9805d68f1432753c5bb99dc0db9'
+            'ee66dc1087f501a7ebb89b0ec36125b94dc87ce560aa38c6d606dad1818d5b95'
+            '9d62896dd51be4979cd85bfcd09de219f6068ec312f27e2a66f7a2f2c78d1f38'
+            '7bbbad18a19150893916995723cd7e256a7b4e2baa5c2ff57bc27886c40f51fc'
+            'bb87f4dce8e20f2ce601bdcb888dd688d8f0e9d0ab367e09c8081daffa15b03a'
+            '298bf32f4e8193d4cc5a4eb98369dc564afe51849046fd5673150cea51950985'
+            '71afe786955d149fe216ff1a60348562914a6820d3b7f9dc42aa44913062b04e'
+            '01ddeec77c605e1d3aa00a1fdc4c3537989468ab78da5f37b893cdbcfe34176c'
+            '1f205fddfb427a696fb00221a3007453e25fbbf180ea026c264d23eeac9e1870'
+            '2736d0ef20d0127c34e132db38d8993dee3062ba0ac0cdf8d444a8d3665698b8'
+            '6171eefd363f2c70bed9ac41fae3458d9e03460fdaf079c99445482e9649555a'
+            '5cd70e01fc7c8867d3ee9160fecf44c028947b54788a41833789c71ef5cef9a4'
+            'ea003c4201745cd0c4bcf5cec5ca2d0a79cc6b1b04ceaa276ace0ad0287b8c50')
diff --git a/kernels/pax-flags-libre/clamav.conf b/kernels/pax-flags-libre/clamav.conf
new file mode 100644
index 000000000..7cb614bca
--- /dev/null
+++ b/kernels/pax-flags-libre/clamav.conf
@@ -0,0 +1,6 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/clamscan
+	- /usr/bin/freshclam
+	- /usr/sbin/clamd:
+		type: systemd
diff --git a/kernels/pax-flags-libre/games.conf b/kernels/pax-flags-libre/games.conf
new file mode 100644
index 000000000..9b5bd943a
--- /dev/null
+++ b/kernels/pax-flags-libre/games.conf
@@ -0,0 +1,15 @@
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/bin/pyrogenesis
+
+# PAGEEXEC and MPROTECT off
+#pSmXER:
+# TODO
+
+# MPROTECT off
+PSmXER:
+	- /opt/doom3/doom.x86
+	- /opt/enemy-territory/et.x86
+	- /opt/quake3/ioquake3.i386
+	- /opt/quake3/ioquake3.x86_64
+
diff --git a/kernels/pax-flags-libre/java.conf b/kernels/pax-flags-libre/java.conf
new file mode 100644
index 000000000..7c10aa16e
--- /dev/null
+++ b/kernels/pax-flags-libre/java.conf
@@ -0,0 +1,13 @@
+# All off :(
+psmxer:
+	- /opt/java/bin/java
+	- /opt/java/bin/javac
+	- /usr/lib/jvm/java-6-openjdk/bin/java
+	- /usr/lib/jvm/java-6-openjdk/bin/javac
+	- /usr/lib/jvm/java-6-openjdk/jre/bin/java
+	- /usr/lib/jvm/java-7-openjdk/bin/javac
+	- /usr/lib/jvm/java-7-openjdk/jre/bin/java
+
+# MPROTECT off
+PSmXER:
+	- /usr/lib/jvm/java-7-openjdk/bin/jar
diff --git a/kernels/pax-flags-libre/kde.conf b/kernels/pax-flags-libre/kde.conf
new file mode 100644
index 000000000..09c03cc51
--- /dev/null
+++ b/kernels/pax-flags-libre/kde.conf
@@ -0,0 +1,22 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/akonadi_sendlater_agent
+	- /usr/bin/akonadi_archivemail_agent
+	- /usr/bin/akonadi_mailfilter_agent
+	- /usr/bin/akonadiconsole
+	- /usr/bin/akregator
+	- /usr/bin/blogilo
+	- /usr/bin/kdeinit4
+	- /usr/bin/kdenlive
+	- /usr/bin/kmail
+	- /usr/bin/knode
+	- /usr/bin/knotify4
+	- /usr/bin/kontact
+	- /usr/bin/kwin
+	- /usr/bin/okular
+	- /usr/lib/kde4/libexec/drkonqi
+	- /usr/lib/kde4/libexec/kwin_opengl_test
+
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/lib/kde4/libexec/kscreenlocker_greet
diff --git a/kernels/pax-flags-libre/pax-flags-libre.8 b/kernels/pax-flags-libre/pax-flags-libre.8
new file mode 100644
index 000000000..f27ae82f8
--- /dev/null
+++ b/kernels/pax-flags-libre/pax-flags-libre.8
@@ -0,0 +1,112 @@
+.TH pax-flags-libre 8 "" 2013-02-18
+.SH NAME
+\fBpax-flags-libre\fR \- Configure PaX flags for several binaries
+.SH SYNOPSIS
+\fBpax-flags-libre\fR [options] [filter]
+.SH DESCRIPTION
+\fBpax-flags-libre\fR is written to configure PaX flags for a set of binaries.
+It is intended to ease the usage of PaX (linux-libre-pax) or grsecurity (linux-libre-grsec,
+linux-libre-grsec-lts) enabled kernel on Parabola GNU/Linux-libre.
+.P
+PaX flags for a set of binaries are collected in YAML format configuration
+files. By default, every .conf file from /etc/pax-flags and
+/usr/share/pax-flags-libre is read. See the CONFIGURATION section for the file
+format.
+.P
+Root privileges are needed. If you set a value to $PAX_FLAGS_SUDO,
+\fBpax-flags-libre\fR will be called with sudo.
+.SH OPTIONS
+.TP
+\-c, \-\-config  <path>
+Override default configuration paths. Requires one path argument. Can contain
+globs (escape them in some shells (zsh for example)).
+.TP
+\-h, \-\-help
+Displays a short usage message and option summary.
+.TP
+\-p, \-\-prepend
+Do not actually change anything.
+.TP
+\-x, \-\-xattr
+Sets the PaX flags through setfattr, underlying filesystems need xattr support.
+.TP
+\-y, \-\-yes
+Non-interactive mode. Assume yes on any question.
+.SH FILES
+.TP
+/etc/pax-flags/*.conf
+Files for overriding the standard flag set and path pattern configuration.
+.TP
+/usr/share/pax-flags-libre/*.conf
+The shipped configuration.
+.SH CONFIGURATION
+There are \fBsimple\fR configuration entries and \fBcomplex\fR ones. Complex
+configuration for a certain flag set and path pattern overrides simple. To
+override a simple entry with a complex one, the flag sets and path patterns have
+to match exactly.
+.SS "Simple entries"
+Simple configuration entries just set the PaX flags for a set of binaries. The
+format is as follows:
+.P
+PSmXER:
+.br
+  \- /usr/bin/ruby
+  \- /usr/bin/glx*
+.P
+\fBPSmXER\fR is the set of flags. Every letter represents a PaX flag. Uppercase
+enables the flag, lowercase disables it. See paxctl(1) for more details. This
+example disables MPROTECT on /usr/bin/ruby and /usr/bin/glx*.
+.SS "Complex entries"
+With complex entries it is possible to stop a daemon before setting the flags
+and starting it afterwards. The format is as follows:
+.P
+PSmXER:
+.br
+  \- /usr/sbin/clamd:
+    type: systemd
+.P
+This would stop clamd, disable MPROTECT for the binary and start the daemon
+again. The \fBtype\fR option values correspond to presets of status, start, stop
+actions. Currently there exists only "systemd". By default the systemd unit file
+would be "clamd" in this case or the basename of the path in general.
+.P
+PSmXEr:
+.br
+  \- /usr/lib/polkit-1/polkitd:
+    type: systemd
+    systemd_name: polkit
+.P
+The \fBsystemd_name\fR option can be used to configure a differing systemd unit
+name.
+.P
+PSmXEr:
+.br
+  \- /usr/lib/iceweasel/iceweasel:
+    status: "pidof iceweasel"
+    start: "iceweasel &"
+    stop: "killall iceweasel"
+.P
+This would configure custom actions for \fBstatus\fR, \fBstart\fR and
+\fBstop\fR.
+.P
+PSmXER:
+.br
+  \- /usr/bin/ruby:
+    skip: true
+.P
+This would override a simple entry for the same flag set and path pattern and
+cause it to be skipped.
+.P
+PSmXER:
+.br
+  \- /usr/lib32/somebinary:
+    header: create
+.P
+This would cause paxctl to not convert the old binary header, but create a new
+one. See paxctl(1) for more details.
+.SH AUTHOR
+henning mueller <henning@orgizm.net>
+.SH SEE ALSO
+\- paxctl(1)
+.br
+\- http://www.yaml.org
diff --git a/kernels/pax-flags-libre/pax-flags-libre.rb b/kernels/pax-flags-libre/pax-flags-libre.rb
new file mode 100755
index 000000000..f2362a157
--- /dev/null
+++ b/kernels/pax-flags-libre/pax-flags-libre.rb
@@ -0,0 +1,278 @@
+#!/usr/bin/env ruby
+
+require 'getoptlong'
+require 'readline'
+require 'singleton'
+require 'yaml'
+
+# Monkey-path the Array class.
+class Array
+  # ["foo", {"foo" => 1}].cleanup => [{"foo" => 1}]
+  # If the key in a Hash element of an Array is also present as an element of
+  # the Array, delete the latter.
+  def cleanup
+    array = self.dup
+    self.grep(Hash).map(&:keys).flatten.each do |x|
+      array.delete x
+    end
+    array
+  end
+end
+
+# Class handles configuration parameters.
+class FlagsConfig < Hash
+  # This is a singleton class.
+  include Singleton
+
+  # Merges a Hash or YAML file (containing a Hash) with itself.
+  def load config
+    if config.class == Hash
+      merge! config
+      return
+    end
+
+    unless config.nil?
+      merge_yaml! config
+    end
+  end
+
+  # Merge Config Hash with Hash in YAML file.
+  def merge_yaml! path
+    merge!(load_file path) do |key, old, new|
+      (old + new).uniq.cleanup if old.is_a? Array and new.is_a? Array
+    end
+  end
+
+  # Load YAML file and work around tabs not working for identation.
+  def load_file path
+    YAML.load open(path).read.gsub(/\t/, '   ')
+  rescue Psych::SyntaxError => e
+    print path, ':', e.message.split(':').last, "\n"
+    exit 1
+  end
+end
+
+# A method to print a beautiful usage message.
+def usage
+  $stderr.puts <<EOF
+#{File.basename($0)} [options] [filters]
+
+  OPTIONS
+
+    -c, --config     Override default configuration paths. Requires one
+                     argument. Can contain globs (escape them in some shells
+                     (zsh for example)). 
+    -h, --help       This help.
+    -p, --prepend    Do not change anything.
+    -y, --yes        Non-interactive mode. Assume yes on questions.
+    -x, --xattr      Sets the PaX flags through setfattr, underlying
+                     filesystems need xattr support.
+
+  FILTERS
+
+    Only change flags for paths, which contain one of these filters as a string.
+
+EOF
+  exit 1
+end
+
+# This iterates each config entry (which matches the filters). It yields flags,
+# entry, pattern and path of the config entry to the block code.
+def each_entry config, filters
+  config.each do |flags, entries|
+    entries.each do |entry|
+      # Distinguish easy (String) and complex (Hash) config entries.
+      if entry.is_a? String
+        pattern = entry
+      elsif entry.is_a? Hash
+        pattern = entry.keys.first
+      end
+
+      # Skip this entry, if its path pattern does not contain one of the
+      # filters.
+      # TODO Do this for every matching path.
+      unless filters.empty?
+        temp_filters = filters.dup
+        temp_filters.keep_if do |filter|
+          pattern.downcase.include? filter.downcase
+        end
+        next if temp_filters.empty?
+      end
+
+      # If this runs with sudo, the ~ (for the users home path) have to point to
+      # the user who runs it, not to root.
+      unless ENV['SUDO_USER'].nil?
+        paths = File.expand_path pattern.gsub('~', '~' + ENV['SUDO_USER'])
+      else
+        paths = File.expand_path pattern
+      end
+
+      # Now yield for every matching path.
+      Dir.glob(paths).each do |path|
+        yield flags, entry, pattern, path
+      end
+    end
+  end
+end
+
+# Trap SIGINT (ctrl+c)
+trap(:INT) { exit 1 }
+
+# Define the possible options.
+options = GetoptLong.new(
+  ['--config',  '-c', GetoptLong::REQUIRED_ARGUMENT],
+  ['--help',    '-h', GetoptLong::NO_ARGUMENT],
+  ['--prepend', '-p', GetoptLong::NO_ARGUMENT],
+  ['--xattr',   '-x', GetoptLong::NO_ARGUMENT],
+  ['--yes',     '-y', GetoptLong::NO_ARGUMENT],
+)
+
+# Initialize option variables.
+new_configs = []
+prepend = false
+yes = false
+xattr = false
+
+# Set option variables.
+begin
+  options.each do |option, argument|
+    case option
+      when '--config'
+        new_configs = Dir.glob argument
+      when '--help'
+        usage
+      when '--prepend'
+        prepend = true
+      when '--xattr'
+        xattr = true
+      when '--yes'
+        yes = true
+    end
+  end
+rescue GetoptLong::InvalidOption => e
+  usage
+end
+
+# Whatever is left over is a filter.
+filters = ARGV
+
+# Exit if we are not running with root privileges.
+if Process.uid != 0
+  $stderr << "Root privileges needed.\n"
+  exit 1
+end
+
+# Either default config paths or overridden ones.
+config_paths = if new_configs.empty?
+  ['/etc/pax-flags/*.conf', '/usr/share/pax-flags-libre/*.conf']
+else
+  new_configs
+end
+
+# Initialize the singleton config object...
+config = FlagsConfig.instance
+
+# ... and load every config file.
+config_paths.each do |path|
+  Dir.glob(path).each do |file|
+    config.load file
+  end
+end
+
+# Helper text for simple entries.
+puts <<EOF
+Some programs do not work properly without deactivating some of the PaX
+features. Please close all instances of them if you want to change the
+configuration for the following binaries.
+EOF
+
+# Show every simple entry.
+each_entry config, filters do |flags, entry, pattern, path|
+  puts ' * ' + path if File.exists? path and entry.is_a? String
+end
+
+# Let us sum up the complex entries...
+autopaths = []
+each_entry config, filters do |flags, entry, pattern, path|
+  if File.exists? path and entry.is_a? Hash
+    autopaths.push path if not (entry.nil? and entry[path]['skip'])
+  end
+end
+
+# ... to decide, if we need to print them.
+unless autopaths.empty?
+  puts <<EOF
+
+For the following programs there are also changes neccessary but you do not have
+to close or restart instances of them manually.
+EOF
+
+  autopaths.each do |path|
+    puts ' * ' + path
+  end
+end
+
+puts
+puts 'Continue writing PaX headers? [Y/n]'
+
+$stdout.flush
+
+unless yes
+  a = Readline.readline.chomp.downcase
+  exit 1 if a.downcase != 'y' unless a.empty?
+end
+
+# Iterate each entry to actually set the flags.
+each_entry config, filters do |flags, entry, pattern, path|
+  if File.exists? path
+    e = entry[pattern]
+    actions = %w(status start stop)
+    start_again = false
+
+    # Get action commands from entries config.
+    status = e['status']
+    start  = e['start']
+    stop   = e['stop']
+
+    # If the type attribute is set to systemd, we set the action command
+    # variables again but to systemd defaults.
+    if e['type'] == 'systemd'
+      name = e['systemd_name'] || File.basename(path)
+      actions.each do |action|
+        eval "#{action} = \"systemctl #{action} #{name}.service\""
+      end
+    end
+
+    # If the entry is complex, stop it if it is running.
+    if entry.is_a? Hash
+      if status and system(status + '> /dev/null')
+        system stop unless prepend
+        start_again = true if start
+      end
+    end
+
+    if xattr
+      # setfattr seems to be picky about the order of the flags,
+      # rearrange it beforehand
+      xflags = flags[/[Pp]/] + flags[/[Ee]/] + flags[/[Mm]/] +
+               flags[/[Rr]/] + flags[/[Ss]/]
+      print xflags, ' ', path, "\n"
+    else
+      print flags, ' ', path, "\n"
+    end
+
+    # Set the flags and notify the user.
+    unless prepend
+      if xattr
+        `setfattr -n user.pax.flags -v #{xflags} "#{path}"`
+      else
+        header = 'c'
+        header = 'C' if e['header'] == 'create'
+        `paxctl -#{header}#{flags} "#{path}"`
+      end
+    end
+
+    # Start the complex entries service again, if it is neccessary.
+    system start unless prepend if start_again
+  end
+end
diff --git a/kernels/pax-flags-libre/pax-flags-libre.sh b/kernels/pax-flags-libre/pax-flags-libre.sh
new file mode 100755
index 000000000..612f6cf93
--- /dev/null
+++ b/kernels/pax-flags-libre/pax-flags-libre.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+ruby=$(which ruby)
+
+[ -z $PAX_FLAGS_SUDO ] && sudo='' || sudo='sudo'
+
+[ "$(paxctl -v $ruby 2>/dev/null)" ] || {
+	$sudo paxctl -cm $ruby
+}
+
+$sudo systemctl --system daemon-reload
+
+$sudo linux-pax-flags.rb $@
diff --git a/kernels/pax-flags-libre/polkit.conf b/kernels/pax-flags-libre/polkit.conf
new file mode 100644
index 000000000..5a97136d2
--- /dev/null
+++ b/kernels/pax-flags-libre/polkit.conf
@@ -0,0 +1,5 @@
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/lib/polkit-1/polkitd:
+		type: systemd
+		systemd_name: polkit
diff --git a/kernels/pax-flags-libre/qemu.conf b/kernels/pax-flags-libre/qemu.conf
new file mode 100644
index 000000000..428d2928b
--- /dev/null
+++ b/kernels/pax-flags-libre/qemu.conf
@@ -0,0 +1,51 @@
+# SEGMEXEC and MPROTECT off
+# (RANDEXEC is not activatable for qemu. The binaries seem to be compiled
+# with PIE enabled, though.)
+PsmxER:
+	- /usr/bin/qemu-alpha
+	- /usr/bin/qemu-arm
+	- /usr/bin/qemu-armeb
+	- /usr/bin/qemu-cris
+	- /usr/bin/qemu-i386
+	- /usr/bin/qemu-m68k
+	- /usr/bin/qemu-microblaze
+	- /usr/bin/qemu-microblazeel
+	- /usr/bin/qemu-mips
+	- /usr/bin/qemu-mipsel
+	- /usr/bin/qemu-ppc
+	- /usr/bin/qemu-ppc64
+	- /usr/bin/qemu-ppc64abi32
+	- /usr/bin/qemu-s390x
+	- /usr/bin/qemu-sh4
+	- /usr/bin/qemu-sh4eb
+	- /usr/bin/qemu-sparc
+	- /usr/bin/qemu-sparc32plus
+	- /usr/bin/qemu-sparc64
+	- /usr/bin/qemu-unicore32
+	- /usr/bin/qemu-x86_64
+
+# MPROTECT off
+PSmXER:
+	- /usr/bin/qemu-system-alpha
+	- /usr/bin/qemu-system-arm
+	- /usr/bin/qemu-system-cris
+	- /usr/bin/qemu-system-i386
+	- /usr/bin/qemu-system-lm32
+	- /usr/bin/qemu-system-m68k
+	- /usr/bin/qemu-system-microblaze
+	- /usr/bin/qemu-system-microblazeel
+	- /usr/bin/qemu-system-mips
+	- /usr/bin/qemu-system-mips64
+	- /usr/bin/qemu-system-mips64el
+	- /usr/bin/qemu-system-mipsel
+	- /usr/bin/qemu-system-ppc
+	- /usr/bin/qemu-system-ppc64
+	- /usr/bin/qemu-system-ppcemb
+	- /usr/bin/qemu-system-s390x
+	- /usr/bin/qemu-system-sh4
+	- /usr/bin/qemu-system-sh4eb
+	- /usr/bin/qemu-system-sparc
+	- /usr/bin/qemu-system-sparc64
+	- /usr/bin/qemu-system-x86_64
+	- /usr/bin/qemu-system-xtensa
+	- /usr/bin/qemu-system-xtensaeb
diff --git a/kernels/pax-flags-libre/replicant.conf b/kernels/pax-flags-libre/replicant.conf
new file mode 100644
index 000000000..a916c34b8
--- /dev/null
+++ b/kernels/pax-flags-libre/replicant.conf
@@ -0,0 +1,8 @@
+# MPROTECT off
+PSmXER:
+	- /opt/replicant-sdk/tools/emulator-arm
+	- /opt/replicant-sdk/tools/emulator-x86
+	- /opt/replicant-sdk/platform-tools/adb:
+		status: "pidof adb"
+		start: "adb start-server"
+		stop: "adb kill-server"
diff --git a/kernels/pax-flags-libre/ruby.conf b/kernels/pax-flags-libre/ruby.conf
new file mode 100644
index 000000000..ec595d462
--- /dev/null
+++ b/kernels/pax-flags-libre/ruby.conf
@@ -0,0 +1,7 @@
+# MPROTECT off
+PSmXER:
+	- ~/.rbenv/versions/?.?.?{,-p*}/bin/ruby
+	- ~/.rbenv/versions/?.?.?{,-p*}/lib/ruby/gems/*/gems/capybara-webkit-*/bin/webkit_server
+	- ~/.rvm/rubies/ruby-?.?.?{,-p*}/bin/ruby
+	- ~/.rvm/gems/ruby-?.?.?{,-p*}/gems/capybara-webkit-*/bin/webkit_server
+	- /usr/bin/ruby
diff --git a/kernels/pax-flags-libre/simple.conf b/kernels/pax-flags-libre/simple.conf
new file mode 100644
index 000000000..d4d6594a8
--- /dev/null
+++ b/kernels/pax-flags-libre/simple.conf
@@ -0,0 +1,59 @@
+# RANDMMAP off
+PSMXEr:
+	- /usr/bin/grub-script-check
+
+# MPROTECT and RANDMMAP off
+PSmXEr:
+	- /usr/bin/elinks
+	- /usr/bin/gnome-shell
+	- /usr/bin/grub-bios-setup
+	- /usr/lib/iceweasel/iceweasel
+	- /usr/lib/iceweasel/plugin-container
+	- /usr/lib/gcc/x86_64-unknown-linux-gnu/*/cc1plus
+	- /usr/lib/icedove/icedove
+
+# MPROTECT off
+PSmXER:
+	- /usr/bin/blender
+	- /usr/bin/btsync
+	- /usr/bin/cabal
+	- /usr/bin/dolphin-emu
+	- /usr/bin/dosbox
+	- /usr/bin/epiphany
+	- /usr/bin/gendesk
+	- /usr/bin/glxdemo
+	- /usr/bin/glxgears
+	- /usr/bin/glxinfo
+	- /usr/bin/glxspheres
+	- /usr/bin/goldendict
+	- /usr/bin/gtk-query-immodules-*
+	- /usr/bin/inkscape
+	- /usr/bin/liferea
+	- /usr/bin/mono
+	- /usr/bin/mplayer
+	- /usr/bin/mumble
+	- /usr/bin/obex-data-server
+	- /usr/bin/python2
+	- /usr/bin/scheme
+	- /usr/bin/seahorse
+	- /usr/bin/spicec
+	- /usr/bin/systemsettings
+	- /usr/bin/tcc
+	- /usr/bin/vlc
+	- /usr/lib/erlang/erts-*/bin/beam
+	- /usr/lib/erlang/erts-*/bin/beam.smp
+	- /usr/lib/ghc-*/ghc
+	- /usr/lib/libreoffice/program/soffice.bin
+	- /usr/lib/webkitgtk/WebKitWebProcess
+	- /usr/lib/xbmc/xbmc.bin
+	- /usr/sbin/grub-probe
+	- /usr/sbin/vbetool
+
+# PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off
+pSmXer:
+	- /usr/bin/sbcl
+
+# All off :(
+psmxer:
+	- /usr/bin/wine
+	- /usr/bin/wine-preloader
diff --git a/kernels/pax-flags-libre/valgrind.conf b/kernels/pax-flags-libre/valgrind.conf
new file mode 100644
index 000000000..6d25559ae
--- /dev/null
+++ b/kernels/pax-flags-libre/valgrind.conf
@@ -0,0 +1,25 @@
+# MPROTECT off
+PSmXER:
+	- /usr/bin/valgrind
+	- /usr/lib/valgrind/cachegrind-amd64-linux
+	- /usr/lib/valgrind/cachegrind-x86-linux
+	- /usr/lib/valgrind/callgrind-amd64-linux
+	- /usr/lib/valgrind/callgrind-x86-linux
+	- /usr/lib/valgrind/drd-amd64-linux
+	- /usr/lib/valgrind/drd-x86-linux
+	- /usr/lib/valgrind/exp-bbv-amd64-linux
+	- /usr/lib/valgrind/exp-bbv-x86-linux
+	- /usr/lib/valgrind/exp-dhat-amd64-linux
+	- /usr/lib/valgrind/exp-dhat-x86-linux
+	- /usr/lib/valgrind/exp-sgcheck-amd64-linux
+	- /usr/lib/valgrind/exp-sgcheck-x86-linux
+	- /usr/lib/valgrind/helgrind-amd64-linux
+	- /usr/lib/valgrind/helgrind-x86-linux
+	- /usr/lib/valgrind/lackey-amd64-linux
+	- /usr/lib/valgrind/lackey-x86-linux
+	- /usr/lib/valgrind/massif-amd64-linux
+	- /usr/lib/valgrind/massif-x86-linux
+	- /usr/lib/valgrind/memcheck-amd64-linux
+	- /usr/lib/valgrind/memcheck-x86-linux
+	- /usr/lib/valgrind/none-amd64-linux
+	- /usr/lib/valgrind/none-x86-linux
-- 
cgit v1.2.3-2-g168b