chromium: New seccomp patch for versions >= 23.

The BPF renderer sandbox is now the default in 23. But still, it is not regarded
as "adequately sandboxed" from Google so we still need the legacy seccomp
sandbox.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

pkgs/applications/networking/browsers/chromium/default.nix

@@ -82,7 +82,10 @@ let
 
   seccompPatch = let
     pre22 = versionOlder sourceInfo.version "22.0.0.0";
-  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;
+    pre23 = versionOlder sourceInfo.version "23.0.0.0";
+  in if pre22 then ./enable_seccomp.patch
+     else if pre23 then ./enable_seccomp22.patch
+     else ./enable_seccomp23.patch;
 
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";

pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch

@@ -0,0 +1,18 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index ad73fe6..ee3e6e6 100644
+--- a/content/common/sandbox_linux.cc
++++ b/content/common/sandbox_linux.cc
+@@ -42,13 +42,8 @@ bool IsSeccompLegacyDesired() {
+     return false;
+   }
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default. Allow turning on with a switch.
+-  return command_line->HasSwitch(switches::kEnableSeccompSandbox);
+-#else
+   // On by default. Allow turning off with a switch.
+   return !command_line->HasSwitch(switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }