From 45b69d6dba5a2c7d26072775dc9eee653f06aebc Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 25 Sep 2013 13:45:13 +0200 Subject: [PATCH] chromium: Split sandbox off the main output path. Now the chromium derivation produces an extra output path for the sandbox in order to be properly used as a setuid wrapper in without the need to include the full Chromium package. Signed-off-by: aszlig --- .../networking/browsers/chromium/default.nix | 22 ++++++++++++++----- .../networking/browsers/chromium/sandbox.nix | 20 +++++++++++++++++ 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 pkgs/applications/networking/browsers/chromium/sandbox.nix diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 18fb7fefeffe..6b0d504f320e 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -81,11 +81,18 @@ let libusb1 libexif ]; + sandbox = import ./sandbox.nix { + inherit stdenv; + src = src.sandbox; + binary = "${packageName}_sandbox"; + }; + # build paths and release info packageName = "chromium"; buildType = "Release"; buildPath = "out/${buildType}"; libExecPath = "$out/libexec/${packageName}"; + sandboxPath = "${sandbox}/bin/${packageName}_sandbox"; # user namespace sandbox patch userns_patch = if versionOlder sourceInfo.version "30.0.0.0" @@ -137,7 +144,7 @@ in stdenv.mkDerivation rec { '' + optionalString (!versionOlder sourceInfo.version "30.0.0.0") '' sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \ sandbox_binary = \ - base::FilePath("'"${libExecPath}/${packageName}_sandbox"'"); + base::FilePath("'"${sandboxPath}"'"); ' content/browser/browser_main_loop.cc ''; @@ -153,7 +160,7 @@ in stdenv.mkDerivation rec { use_openssl = useOpenSSL; selinux = enableSELinux; use_cups = cupsSupport; - linux_sandbox_path="${libExecPath}/${packageName}_sandbox"; + linux_sandbox_path="${sandboxPath}"; linux_sandbox_chrome_path="${libExecPath}/${packageName}"; werror = ""; @@ -185,13 +192,13 @@ in stdenv.mkDerivation rec { CC="${CC}" CC_host="${CC}" \ CXX="${CXX}" CXX_host="${CXX}" \ LINK_host="${CXX}" \ - "${ninja}/bin/ninja" -C "out/${buildType}" \ - -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \ + "${ninja}/bin/ninja" -C "${buildPath}" \ + -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \ chrome ${optionalString (!enableSELinux) "chrome_sandbox"} ''; installPhase = '' - mkdir -vp "${libExecPath}" + ensureDir "${libExecPath}" cp -v "${buildPath}/"*.pak "${libExecPath}/" cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/" cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/" @@ -200,7 +207,6 @@ in stdenv.mkDerivation rec { mkdir -vp "$out/bin" makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}" - cp -v "${buildPath}/chrome_sandbox" "${libExecPath}/${packageName}_sandbox" mkdir -vp "$out/share/man/man1" cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1" @@ -216,6 +222,10 @@ in stdenv.mkDerivation rec { done ''; + passthru = { + inherit sandbox; + }; + meta = { description = "An open source web browser from Google"; homepage = http://www.chromium.org/; diff --git a/pkgs/applications/networking/browsers/chromium/sandbox.nix b/pkgs/applications/networking/browsers/chromium/sandbox.nix new file mode 100644 index 000000000000..b43385e86338 --- /dev/null +++ b/pkgs/applications/networking/browsers/chromium/sandbox.nix @@ -0,0 +1,20 @@ +{ stdenv, src, binary }: + +stdenv.mkDerivation { + name = "chromium-sandbox-${src.version}"; + inherit src; + + patchPhase = '' + sed -i -e '/#include.*base_export/c \ + #define BASE_EXPORT __attribute__((visibility("default"))) + ' linux/suid/*.[hc] + ''; + + buildPhase = '' + gcc -Wall -std=gnu99 -o sandbox linux/suid/*.c + ''; + + installPhase = '' + install -svD sandbox "$out/bin/${binary}" + ''; +}