chromium: add nixos module security.chromiumSuidSandbox

Closes #17460

Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.

Does not trigger a Chromium rebuild.

cc @cleverca22 @joachifm @jasom

pkgs/applications/networking/browsers/chromium/common.nix

@@ -96,6 +96,8 @@ let
   buildPath = "out/${buildType}";
   libExecPath = "$out/libexec/${packageName}";
 
+  sandboxExecutableName = "__chromium-suid-sandbox";
+
   base = rec {
     name = "${packageName}-${version}";
     inherit (upstream-info) version;
@@ -221,6 +223,8 @@ let
       targets = extraAttrs.buildTargets or [];
       commands = map buildCommand targets;
     in concatStringsSep "\n" commands;
+
+    passthru = { inherit sandboxExecutableName; };
   };
 
 # Remove some extraAttrs we supplied to the base attributes already.

pkgs/applications/networking/browsers/chromium/default.nix

@@ -1,4 +1,4 @@
-{ newScope, stdenv, makeWrapper, makeDesktopItem
+{ newScope, stdenv, makeWrapper, makeDesktopItem, writeScript
 
 # package customization
 , channel ? "stable"
@@ -61,22 +61,49 @@ let
 
   suffix = if channel != "stable" then "-" + channel else "";
 
+  sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
+
 in stdenv.mkDerivation {
   name = "chromium${suffix}-${chromium.browser.version}";
 
   buildInputs = [ makeWrapper ];
 
+  outputs = ["out" "sandbox"];
+
   buildCommand = let
     browserBinary = "${chromium.browser}/libexec/chromium/chromium";
     getWrapperFlags = plugin: "$(< \"${plugin}/nix-support/wrapper-flags\")";
+    sandboxExecutableSourcePath = "${chromium.browser}/libexec/chromium/chrome-sandbox";
+    launchScript = writeScript "chromium" ''
+      #! ${stdenv.shell}
+
+      if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ]
+      then
+        export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}"
+      else
+        export CHROME_DEVEL_SANDBOX="@sandbox@/bin/${sandboxExecutableName}"
+      fi
+
+      # libredirect causes chromium to deadlock on startup
+      export LD_PRELOAD="$(echo -n "$LD_PRELOAD" | tr ':' '\n' | grep -v /lib/libredirect\\.so$ | tr '\n' ':')"
+
+      exec @out@/bin/.chromium-wrapped "''${extraFlagsArray[@]}" "$@"
+    '';
   in with stdenv.lib; ''
     mkdir -p "$out/bin" "$out/share/applications"
 
     ln -s "${chromium.browser}/share" "$out/share"
-    eval makeWrapper "${browserBinary}" "$out/bin/chromium" \
-      --set CHROME_DEVEL_SANDBOX "${chromium.browser}/libexec/chromium/chrome-sandbox" \
+    eval makeWrapper "${browserBinary}" "$out/bin/.chromium-wrapped" \
       ${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled}
 
+    cp -v "${launchScript}" "$out/bin/chromium"
+    substituteInPlace $out/bin/chromium --replace @out@ $out --replace @sandbox@ $sandbox
+    chmod 755 "$out/bin/chromium"
+
+    mkdir -p "$sandbox/bin"
+    [ -x "${sandboxExecutableSourcePath}" ] || exit 1
+    ln -sv "${sandboxExecutableSourcePath}" "$sandbox/bin/${sandboxExecutableName}"
+
     ln -s "$out/bin/chromium" "$out/bin/chromium-browser"
     ln -s "${chromium.browser}/share/icons" "$out/share/icons"
     cp -v "${desktopItem}/share/applications/"* "$out/share/applications"
@@ -87,5 +114,6 @@ in stdenv.mkDerivation {
   passthru = {
     inherit (chromium) upstream-info;
     mkDerivation = chromium.mkChromiumDerivation;
+    inherit sandboxExecutableName;
   };
 }