chromium: Re-enable legacy sandbox for version 22.

This enables legacy seccomp sandbox by default even on chromium 22, because the BPF sandbox is still work in progress, please see: http://crbug.com/139872 http://crbug.com/130662 Because the BPF seccomp sandbox is used in case the legacy seccomp mode initialization fails, we might need to patch this again, as soon as the BPF sandbox is fully implemented to fall back to legacy seccomp and use BPF by default. We now have two patches for "default to seccomp" - one for Chromium 21 and one for 22 or higher.
2012-08-27 06:45:32 +02:00 · 2012-08-27 06:45:32 +02:00 · d5c2b35b82
parent c67d8bcabe
commit d5c2b35b82
2 changed files with 24 additions and 4 deletions
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -77,9 +77,9 @@ let
    xdg_utils yasm zlib
  ];

-  needSeccompPatch =
-    stdenv.lib.versionOlder sourceInfo.version "22.0.0.0"
-    && !config.selinux;
+  seccompPatch = let
+    pre22 = stdenv.lib.versionOlder sourceInfo.version "22.0.0.0";
+  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;

 in stdenv.mkDerivation rec {
  name = "${packageName}-${version}";
@ -112,7 +112,7 @@ in stdenv.mkDerivation rec {

  prePatch = "patchShebangs .";

-  patches = stdenv.lib.optional needSeccompPatch ./enable_seccomp.patch
+  patches = stdenv.lib.optional (!config.selinux) seccompPatch
         ++ stdenv.lib.optional config.cups ./cups_allow_deprecated.patch
         ++ stdenv.lib.optional config.pulseaudio ./pulseaudio_array_bounds.patch;

--- a/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp22.patch
@ -0,0 +1,20 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index d4618e5..108f846 100644
+--- a/content/common/sandbox_linux.cc
+++ b/content/common/sandbox_linux.cc
+@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
+ // Implement the command line enabling logic for seccomp-legacy.
+ bool IsSeccompLegacyDesired() {
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default; allow turning on with a switch.
+-  return CommandLine::ForCurrentProcess()->HasSwitch(
+-      switches::kEnableSeccompSandbox);
+-#else
+   // On by default; allow turning off with a switch.
+   return !CommandLine::ForCurrentProcess()->HasSwitch(
+       switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }