nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg     = config.security.chromiumSuidSandbox;
  sandbox = pkgs.chromium.sandbox;
in
{
  imports = [
    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
  ];

  options.security.chromiumSuidSandbox.enable = mkOption {
    type = types.bool;
    default = false;
    description = ''
      Whether to install the Chromium SUID sandbox which is an executable that
      Chromium may use in order to achieve sandboxing.

      If you get the error "The SUID sandbox helper binary was found, but is not
      configured correctly.", turning this on might help.

      Also, if the URL chrome://sandbox tells you that "You are not adequately
      sandboxed!", turning this on might resolve the issue.
    '';
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [ sandbox ];
    security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
  };
}
chromium: add nixos module security.chromiumSuidSandbox Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom 2016-08-06 09:13:20 +01:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.security.chromiumSuidSandbox;`
			`sandbox = pkgs.chromium.sandbox;`
			`in`
			`{`
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file 2019-12-10 02:51:19 +01:00			`imports = [`
			`(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])`
			`];`

chromium-suid-sandbox module: fix description 2016-08-08 01:55:11 +03:00			`options.security.chromiumSuidSandbox.enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Whether to install the Chromium SUID sandbox which is an executable that`
			`Chromium may use in order to achieve sandboxing.`
chromium: add nixos module security.chromiumSuidSandbox Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom 2016-08-06 09:13:20 +01:00
chromium-suid-sandbox module: fix description 2016-08-08 01:55:11 +03:00			`If you get the error "The SUID sandbox helper binary was found, but is not`
			`configured correctly.", turning this on might help.`
chromium: add nixos module security.chromiumSuidSandbox Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom 2016-08-06 09:13:20 +01:00
chromium-suid-sandbox module: fix description 2016-08-08 01:55:11 +03:00			`Also, if the URL chrome://sandbox tells you that "You are not adequately`
			`sandboxed!", turning this on might resolve the issue.`
			`'';`
			`};`
chromium: add nixos module security.chromiumSuidSandbox Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom 2016-08-06 09:13:20 +01:00
			`config = mkIf cfg.enable {`
			`environment.systemPackages = [ sandbox ];`
treewide: remove redundant quotes 2019-08-13 21:52:01 +00:00			`security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";`
chromium: add nixos module security.chromiumSuidSandbox Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom 2016-08-06 09:13:20 +01:00			`};`
			`}`