public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chromium: Enable seccomp by default.

Browse Source 
If useSELinux is not set, enable seccomp mode by default and avoid building the
SUID helper sandbox at all. This involves a small patch which causes the
commandline arguments to be swapped: --disable-seccomp-sandbox to disable it,
while the option is active by default.
This commit is contained in:
aszlig 2012-06-15 11:07:30 +02:00 committed by Eelco Dolstra
parent 2571488e6a
commit ef45195126
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/applications/networking/browsers/chromium/default.nix
View File

@ -47,12 +47,15 @@ in stdenv.mkDerivation rec {
prePatch = "patchShebangs ."; prePatch = "patchShebangs .";
patches = stdenv.lib.optional (!useSELinux) ./enable_seccomp.patch;
gypFlags = mkGypFlags ({ gypFlags = mkGypFlags ({
linux_use_gold_binary = false; linux_use_gold_binary = false;
linux_use_gold_flags = false; linux_use_gold_flags = false;
proprietary_codecs = false; proprietary_codecs = false;
use_gnome_keyring = gnomeKeyringSupport; use_gnome_keyring = gnomeKeyringSupport;
disable_nacl = !naclSupport; disable_nacl = !naclSupport;
selinux = useSELinux;
use_cups = false; use_cups = false;
} // stdenv.lib.optionalAttrs (stdenv.system == "x86_64-linux") { } // stdenv.lib.optionalAttrs (stdenv.system == "x86_64-linux") {
target_arch = "x64"; target_arch = "x64";
@ -95,7 +98,7 @@ in stdenv.mkDerivation rec {
in "CC=\"${CC}\" CXX=\"${CXX}\" CC.host=\"${CC}\" CXX.host=\"${CXX}\" LINK.host=\"${CXX}\""; in "CC=\"${CC}\" CXX=\"${CXX}\" CC.host=\"${CC}\" CXX.host=\"${CXX}\" LINK.host=\"${CXX}\"";
buildPhase = '' buildPhase = ''
make ${extraBuildFlags} BUILDTYPE=${buildType} library=shared_library chrome chrome_sandbox make ${extraBuildFlags} BUILDTYPE=${buildType} library=shared_library chrome
''; '';
installPhase = '' installPhase = ''

20
pkgs/applications/networking/browsers/chromium/enable_seccomp.patch Normal file
View File

@ -0,0 +1,20 @@
diff --git a/content/common/seccomp_sandbox.h b/content/common/seccomp_sandbox.h
index a07d6f3..a622a35 100644
--- a/content/common/seccomp_sandbox.h
+++ b/content/common/seccomp_sandbox.h
@@ -29,15 +29,9 @@ static bool SeccompSandboxEnabled() {
// TODO(evan): turn on for release too once we've flushed out all the bugs,
// allowing us to delete this file entirely and just rely on the "disabled"
// switch.
-#ifdef NDEBUG
- // Off by default; allow turning on with a switch.
- return CommandLine::ForCurrentProcess()->HasSwitch(
- switches::kEnableSeccompSandbox);
-#else
// On by default; allow turning off with a switch.
return !CommandLine::ForCurrentProcess()->HasSwitch(
switches::kDisableSeccompSandbox);
-#endif // NDEBUG
}
#endif // SECCOMP_SANDBOX