chromium: New seccomp patch for versions >= 23.

The BPF renderer sandbox is now the default in 23. But still, it is not regarded as "adequately sandboxed" from Google so we still need the legacy seccomp sandbox. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2024-11-23 14:11:36 +00:00 · 2012-10-08 05:49:13 +02:00 · 2012-10-08 05:49:13 +02:00 · 949afcc0f2
parent 77d424875c
commit 949afcc0f2
2 changed files with 22 additions and 1 deletions
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -82,7 +82,10 @@ let

  seccompPatch = let
    pre22 = versionOlder sourceInfo.version "22.0.0.0";
-  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;
+    pre23 = versionOlder sourceInfo.version "23.0.0.0";
+  in if pre22 then ./enable_seccomp.patch
+     else if pre23 then ./enable_seccomp22.patch
+     else ./enable_seccomp23.patch;

 in stdenv.mkDerivation rec {
  name = "${packageName}-${version}";
--- a/pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch
@ -0,0 +1,18 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index ad73fe6..ee3e6e6 100644
+--- a/content/common/sandbox_linux.cc
+++ b/content/common/sandbox_linux.cc
+@@ -42,13 +42,8 @@ bool IsSeccompLegacyDesired() {
+     return false;
+   }
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default. Allow turning on with a switch.
+-  return command_line->HasSwitch(switches::kEnableSeccompSandbox);
+-#else
+   // On by default. Allow turning off with a switch.
+   return !command_line->HasSwitch(switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }