3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/applications/networking/browsers/chromium/default.nix

288 lines
8.5 KiB
Nix
Raw Normal View History

{ stdenv, fetchurl, makeWrapper, ninja, which
# default dependencies
, bzip2, flac, speex
, libevent, expat, libjpeg
, libpng, libxml2, libxslt
, xdg_utils, yasm, zlib
, libusb1, libexif, pciutils
, python, pythonPackages, perl, pkgconfig
, nspr, udev, krb5
, utillinux, alsaLib
, gcc, bison, gperf
, glib, gtk, dbus_glib
, libXScrnSaver, libXcursor, libXtst, mesa
, protobuf, speechd, libXdamage
chromium: Update dev channel to v26.0.1410.5. The upgrade currently doesn't involve the -lite package, as we need to use a few more dependencies from nixpkgs first before we can finally fully switch over to the lite package, even though the update script will try to fetch it anyway. In this update, one particular problem that arises in conjuction with the seccomp BPF sandbox is caused by this commit: https://chromiumcodereview.appspot.com/12209029 Which particularily filters flags to the clone() syscall. I've spent (wasted?) a few hours figuring out the troublesome flag, eventually figuring it out and - just by curiousity ("Do other distributions have the same problem?") - searched the web for "chromium CLONE_DETACHED" and BEHOLD... A post from our OWN mailinglist pops up with the same patch I intended to do: http://article.gmane.org/gmane.linux.distributions.nixos/10356 So shame on me for not being subscribed to the mailing list, and big thanks to Ian Farmer for the patch. As a consequence I'm now subscribed. So, back to chromium itself, version 26 builds fine and works so far without much (more to come in later commits) trouble. We also had to introduce three more dependencies: * protobuf: This one is because we don't need to use the bundled one anymore, so we can use the version in nixpkgs. * speechd: Not sure whether this was bundled or not, but let's use nixpkgs version as well to keep down build time. * libXdamage: Needed for screen capturing support. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-02-20 05:39:52 +00:00
# optional dependencies
, libgcrypt ? null # gnomeSupport || cupsSupport
# package customization
, channel ? "stable"
, enableSELinux ? false, libselinux ? null
, enableNaCl ? false
, useOpenSSL ? false, nss ? null, openssl ? null
, gnomeSupport ? false, gconf ? null
, gnomeKeyringSupport ? false, libgnome_keyring ? null
, proprietaryCodecs ? true
, cupsSupport ? false
, pulseSupport ? false, pulseaudio ? null
}:
with stdenv.lib;
let
src = with getAttr channel (import ./sources.nix); stdenv.mkDerivation {
name = "chromium-source-${version}";
src = fetchurl {
inherit url sha256;
};
2014-01-26 17:02:03 +00:00
buildInputs = [ python ]; # cannot patch shebangs otherwise
phases = [ "unpackPhase" "patchPhase" "installPhase" ];
opensslPatches = optional useOpenSSL openssl.patches;
prePatch = "patchShebangs .";
patches = singleton ./sandbox_userns_31.patch;
postPatch = ''
sed -i -r \
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
-e 's|/bin/echo|echo|' \
-e "/python_arch/s/: *'[^']*'/: '""'/" \
build/common.gypi chrome/chrome_tests.gypi
sed -i '/not RunGN/,+1d' build/gyp_chromium
sed -i -e 's|/usr/bin/gcc|gcc|' \
third_party/WebKit/Source/build/scripts/scripts.gypi \
third_party/WebKit/Source/build/scripts/preprocessor.pm
'' + optionalString useOpenSSL ''
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
'' + optionalString (!versionOlder version "34.0.0.0") ''
sed -i '/import.*depot/d' build/gyp_chromium
'';
outputs = [ "out" "sandbox" "bundled" "main" ];
installPhase = ''
ensureDir "$out" "$sandbox" "$bundled" "$main"
header "copying browser main sources to $main"
find . -mindepth 1 -maxdepth 1 \
\! -path ./sandbox \
\! -path ./third_party \
\! -path ./build \
\! -path ./tools \
\! -name '.*' \
-print | xargs cp -rt "$main"
stopNest
header "copying sandbox components to $sandbox"
cp -rt "$sandbox" sandbox/*
stopNest
header "copying third party sources to $bundled"
cp -rt "$bundled" third_party/*
stopNest
header "copying build requisites to $out"
cp -rt "$out" build tools
stopNest
rm -rf "$out/tools/gyp" # XXX: Don't even copy it in the first place.
'';
passthru = {
inherit version;
};
};
mkGypFlags =
let
sanitize = value:
if value == true then "1"
else if value == false then "0"
else "${value}";
toFlag = key: value: "-D${key}=${sanitize value}";
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
gypFlagsUseSystemLibs = {
use_system_bzip2 = true;
use_system_flac = true;
use_system_libevent = true;
use_system_libexpat = true;
use_system_libexif = true;
use_system_libjpeg = true;
use_system_libpng = false; # PNG dlopen() version conflict
use_system_libusb = true;
use_system_libxml = true;
use_system_speex = true;
use_system_ssl = useOpenSSL;
use_system_stlport = true;
use_system_xdg_utils = true;
use_system_yasm = true;
use_system_zlib = false; # http://crbug.com/143623
use_system_protobuf = true;
use_system_harfbuzz = false;
use_system_icu = false;
use_system_libwebp = false; # http://crbug.com/133161
use_system_skia = false;
use_system_sqlite = false; # http://crbug.com/22208
use_system_v8 = false;
};
defaultDependencies = [
bzip2 flac speex
libevent expat libjpeg
libpng libxml2 libxslt
xdg_utils yasm zlib
libusb1 libexif
];
sandbox = import ./sandbox.nix {
inherit stdenv;
src = src.sandbox;
binary = "${packageName}_sandbox";
};
chromium: Add patch for user namespace sandboxing. This patch adds support for unprivileged user namespaces found in kernel versions 3.8.0 and later. In case of Nix, this is especially useful to prevent having to set up setuid wrappers. The implementation details about this patch can be found at the top of the file "sandbox_userns.patch". My first attempt of creating this patch was by modifying the SUID sandbox. Unfortunately this didn't work out well, because in the event of a sandbox failure, the host zygote process waits for an answer of the inner zygote with no timeout. Even if I'd have set a timeout, this would have been very ugly, giving users which don't have unprivileged user namespaces a delay on startup. An alternative approach to the mentioned problem would be to use select() on the host zygote, watching for changes stdout or stderr and the synchronization socket. But even that approach isn't feasible because it requires a whole bunch of even more patching. Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user namespace support enabled, where in case the feature is unavailable it reverts back to the previous behaviour (no zygote sandbox, only seccomp BPF). In order to support all Chromium channels, I manually changed the first hunk of the patch to not include the starting context of the diff, because there is a whitespace change in more recent versions of the Chromium source tree. See SVN revision 199882 for the change (revert in this case) in detail: http://src.chromium.org/viewvc/chrome?view=revision&revision=199882 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 14:47:59 +01:00
# build paths and release info
packageName = "chromium";
buildType = "Release";
buildPath = "out/${buildType}";
libExecPath = "$out/libexec/${packageName}";
sandboxPath = "${sandbox}/bin/${packageName}_sandbox";
chromium: Add patch for user namespace sandboxing. This patch adds support for unprivileged user namespaces found in kernel versions 3.8.0 and later. In case of Nix, this is especially useful to prevent having to set up setuid wrappers. The implementation details about this patch can be found at the top of the file "sandbox_userns.patch". My first attempt of creating this patch was by modifying the SUID sandbox. Unfortunately this didn't work out well, because in the event of a sandbox failure, the host zygote process waits for an answer of the inner zygote with no timeout. Even if I'd have set a timeout, this would have been very ugly, giving users which don't have unprivileged user namespaces a delay on startup. An alternative approach to the mentioned problem would be to use select() on the host zygote, watching for changes stdout or stderr and the synchronization socket. But even that approach isn't feasible because it requires a whole bunch of even more patching. Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user namespace support enabled, where in case the feature is unavailable it reverts back to the previous behaviour (no zygote sandbox, only seccomp BPF). In order to support all Chromium channels, I manually changed the first hunk of the patch to not include the starting context of the diff, because there is a whitespace change in more recent versions of the Chromium source tree. See SVN revision 199882 for the change (revert in this case) in detail: http://src.chromium.org/viewvc/chrome?view=revision&revision=199882 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 14:47:59 +01:00
in stdenv.mkDerivation rec {
name = "${packageName}-${src.version}";
inherit packageName src;
buildInputs = defaultDependencies ++ [
which makeWrapper
python perl pkgconfig
nspr udev
(if useOpenSSL then openssl else nss)
utillinux alsaLib
gcc bison gperf krb5
glib gtk dbus_glib
libXScrnSaver libXcursor libXtst mesa
pciutils protobuf speechd libXdamage
pythonPackages.gyp
] ++ optional gnomeKeyringSupport libgnome_keyring
++ optionals gnomeSupport [ gconf libgcrypt ]
++ optional enableSELinux libselinux
++ optional cupsSupport libgcrypt
++ optional pulseSupport pulseaudio;
prePatch = ''
# XXX: Figure out a way how to split these properly.
#cpflags="-dsr --no-preserve=mode"
cpflags="-dr"
cp $cpflags "${src.main}"/* .
cp $cpflags "${src.bundled}" third_party
cp $cpflags "${src.sandbox}" sandbox
chmod -R u+w . # XXX!
'';
postPatch = ''
sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
sandbox_binary = \
base::FilePath("'"${sandboxPath}"'");
' content/browser/browser_main_loop.cc
'';
gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
linux_use_gold_binary = false;
linux_use_gold_flags = false;
proprietary_codecs = false;
use_gnome_keyring = gnomeKeyringSupport;
use_gconf = gnomeSupport;
use_gio = gnomeSupport;
use_pulseaudio = pulseSupport;
disable_nacl = !enableNaCl;
use_openssl = useOpenSSL;
selinux = enableSELinux;
use_cups = cupsSupport;
linux_sandbox_path="${sandboxPath}";
chromium: Add patch for user namespace sandboxing. This patch adds support for unprivileged user namespaces found in kernel versions 3.8.0 and later. In case of Nix, this is especially useful to prevent having to set up setuid wrappers. The implementation details about this patch can be found at the top of the file "sandbox_userns.patch". My first attempt of creating this patch was by modifying the SUID sandbox. Unfortunately this didn't work out well, because in the event of a sandbox failure, the host zygote process waits for an answer of the inner zygote with no timeout. Even if I'd have set a timeout, this would have been very ugly, giving users which don't have unprivileged user namespaces a delay on startup. An alternative approach to the mentioned problem would be to use select() on the host zygote, watching for changes stdout or stderr and the synchronization socket. But even that approach isn't feasible because it requires a whole bunch of even more patching. Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user namespace support enabled, where in case the feature is unavailable it reverts back to the previous behaviour (no zygote sandbox, only seccomp BPF). In order to support all Chromium channels, I manually changed the first hunk of the patch to not include the starting context of the diff, because there is a whitespace change in more recent versions of the Chromium source tree. See SVN revision 199882 for the change (revert in this case) in detail: http://src.chromium.org/viewvc/chrome?view=revision&revision=199882 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 14:47:59 +01:00
linux_sandbox_chrome_path="${libExecPath}/${packageName}";
werror = "";
# Google API keys, see http://www.chromium.org/developers/how-tos/api-keys.
# Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
# please get your own set of keys.
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
google_default_client_id = "404761575300.apps.googleusercontent.com";
google_default_client_secret = "9rIFQjfnkykEmqb6FfjJQD1D";
} // optionalAttrs proprietaryCodecs {
# enable support for the H.264 codec
proprietary_codecs = true;
ffmpeg_branding = "Chrome";
} // optionalAttrs (stdenv.system == "x86_64-linux") {
target_arch = "x64";
python_arch = "x86-64";
} // optionalAttrs (stdenv.system == "i686-linux") {
target_arch = "ia32";
python_arch = "ia32";
});
configurePhase = ''
python build/gyp_chromium -f ninja --depth "$(pwd)" ${gypFlags}
'';
buildPhase = let
CC = "${gcc}/bin/gcc";
CXX = "${gcc}/bin/g++";
in ''
CC="${CC}" CC_host="${CC}" \
CXX="${CXX}" CXX_host="${CXX}" \
LINK_host="${CXX}" \
"${ninja}/bin/ninja" -C "${buildPath}" \
-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
chrome ${optionalString (!enableSELinux) "chrome_sandbox"}
'';
chromium: Add patch for user namespace sandboxing. This patch adds support for unprivileged user namespaces found in kernel versions 3.8.0 and later. In case of Nix, this is especially useful to prevent having to set up setuid wrappers. The implementation details about this patch can be found at the top of the file "sandbox_userns.patch". My first attempt of creating this patch was by modifying the SUID sandbox. Unfortunately this didn't work out well, because in the event of a sandbox failure, the host zygote process waits for an answer of the inner zygote with no timeout. Even if I'd have set a timeout, this would have been very ugly, giving users which don't have unprivileged user namespaces a delay on startup. An alternative approach to the mentioned problem would be to use select() on the host zygote, watching for changes stdout or stderr and the synchronization socket. But even that approach isn't feasible because it requires a whole bunch of even more patching. Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user namespace support enabled, where in case the feature is unavailable it reverts back to the previous behaviour (no zygote sandbox, only seccomp BPF). In order to support all Chromium channels, I manually changed the first hunk of the patch to not include the starting context of the diff, because there is a whitespace change in more recent versions of the Chromium source tree. See SVN revision 199882 for the change (revert in this case) in detail: http://src.chromium.org/viewvc/chrome?view=revision&revision=199882 Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 14:47:59 +01:00
installPhase = ''
ensureDir "${libExecPath}"
cp -v "${buildPath}/"*.pak "${libExecPath}/"
${optionalString (!versionOlder src.version "34.0.0.0") ''
cp -v "${buildPath}/icudtl.dat" "${libExecPath}/"
''}
cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/"
cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/"
cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}"
mkdir -vp "$out/bin"
makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}"
mkdir -vp "$out/share/man/man1"
cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
num_and_suffix="''${icon_file##*logo_}"
icon_size="''${num_and_suffix%.*}"
expr "$icon_size" : "^[0-9][0-9]*$" || continue
logo_output_prefix="$out/share/icons/hicolor"
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
mkdir -vp "$logo_output_path"
cp -v "$icon_file" "$logo_output_path/${packageName}.png"
done
'';
passthru = {
inherit sandbox;
};
meta = {
description = "An open source web browser from Google";
homepage = http://www.chromium.org/;
maintainers = with maintainers; [ goibhniu chaoflow aszlig wizeman ];
license = licenses.bsd3;
platforms = platforms.linux;
};
}