From d5c2b35b82b7c2c22bcc7d85c4d2f1fe0b810b3c Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Mon, 27 Aug 2012 06:45:32 +0200
Subject: [PATCH] chromium: Re-enable legacy sandbox for version 22.

This enables legacy seccomp sandbox by default even on chromium 22, because the
BPF sandbox is still work in progress, please see:

http://crbug.com/139872
http://crbug.com/130662

Because the BPF seccomp sandbox is used in case the legacy seccomp mode
initialization fails, we might need to patch this again, as soon as the BPF
sandbox is fully implemented to fall back to legacy seccomp and use BPF by
default.

We now have two patches for "default to seccomp" - one for Chromium 21 and one
for 22 or higher.
---
 .../networking/browsers/chromium/default.nix  |  8 ++++----
 .../browsers/chromium/enable_seccomp22.patch  | 20 +++++++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index f9424f4d614a..e9e9961d1cd0 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -77,9 +77,9 @@ let
     xdg_utils yasm zlib
   ];
 
-  needSeccompPatch =
-    stdenv.lib.versionOlder sourceInfo.version "22.0.0.0"
-    && !config.selinux;
+  seccompPatch = let
+    pre22 = stdenv.lib.versionOlder sourceInfo.version "22.0.0.0";
+  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;
 
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";
@@ -112,7 +112,7 @@ in stdenv.mkDerivation rec {
 
   prePatch = "patchShebangs .";
 
-  patches = stdenv.lib.optional needSeccompPatch ./enable_seccomp.patch
+  patches = stdenv.lib.optional (!config.selinux) seccompPatch
          ++ stdenv.lib.optional config.cups ./cups_allow_deprecated.patch
          ++ stdenv.lib.optional config.pulseaudio ./pulseaudio_array_bounds.patch;
 
diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
new file mode 100644
index 000000000000..f947d796f186
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
@@ -0,0 +1,20 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index d4618e5..108f846 100644
+--- a/content/common/sandbox_linux.cc
++++ b/content/common/sandbox_linux.cc
+@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
+ // Implement the command line enabling logic for seccomp-legacy.
+ bool IsSeccompLegacyDesired() {
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default; allow turning on with a switch.
+-  return CommandLine::ForCurrentProcess()->HasSwitch(
+-      switches::kEnableSeccompSandbox);
+-#else
+   // On by default; allow turning off with a switch.
+   return !CommandLine::ForCurrentProcess()->HasSwitch(
+       switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }