public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chromium: Drop obsolete pre-v23 seccomp patch.

Browse Source 
The patch is no longer needed, as we are now using the BPF seccomp sandbox.
Unfortunately this is not marked "adequately sandboxed" in chrome://sandbox, as
it awaits security review on http://crbug.com/26528.

Unfortunately this gets us into a position where we can't be sure if the sandbox
is working correctly, especially because the non-BPF seccomp sandbox has a bunch
of stability issues and is marked legacy. And we definitely don't want to add
support for the setuid sandbox, do we?

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2012-11-20 00:32:45 +01:00
parent d5c639cb55
commit af8f08d638
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
2 changed files with 0 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/applications/networking/browsers/chromium/default.nix
View File

@ -84,10 +84,6 @@ let
libusb1 libexif libusb1 libexif
]; ];
maybeSeccompPatch = let
pre23 = versionOlder sourceInfo.version "23.0.0.0";
in optional pre23 ./enable_seccomp.patch;
maybeFixPulseAudioBuild = let maybeFixPulseAudioBuild = let
post23 = !versionOlder sourceInfo.version "24.0.0.0"; post23 = !versionOlder sourceInfo.version "24.0.0.0";
in optional (post23 && cfg.pulseaudio) (fetchurl { in optional (post23 && cfg.pulseaudio) (fetchurl {
@ -128,7 +124,6 @@ in stdenv.mkDerivation rec {
patches = optional cfg.cups ./cups_allow_deprecated.patch patches = optional cfg.cups ./cups_allow_deprecated.patch
++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch
++ maybeSeccompPatch
++ maybeFixPulseAudioBuild; ++ maybeFixPulseAudioBuild;
postPatch = optionalString cfg.openssl '' postPatch = optionalString cfg.openssl ''

20
pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
View File

@ -1,20 +0,0 @@
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
index d4618e5..108f846 100644
--- a/content/common/sandbox_linux.cc
+++ b/content/common/sandbox_linux.cc
@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
// Implement the command line enabling logic for seccomp-legacy.
bool IsSeccompLegacyDesired() {
#if defined(SECCOMP_SANDBOX)
-#if defined(NDEBUG)
- // Off by default; allow turning on with a switch.
- return CommandLine::ForCurrentProcess()->HasSwitch(
- switches::kEnableSeccompSandbox);
-#else
// On by default; allow turning off with a switch.
return !CommandLine::ForCurrentProcess()->HasSwitch(
switches::kDisableSeccompSandbox);
-#endif // NDEBUG
#endif // SECCOMP_SANDBOX
return false;
}