From 949afcc0f2d82cb00a7f0ca9c0dc4b45f8fe273f Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Mon, 8 Oct 2012 05:49:13 +0200
Subject: [PATCH] chromium: New seccomp patch for versions >= 23.

The BPF renderer sandbox is now the default in 23. But still, it is not regarded
as "adequately sandboxed" from Google so we still need the legacy seccomp
sandbox.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 .../networking/browsers/chromium/default.nix   |  5 ++++-
 .../browsers/chromium/enable_seccomp23.patch   | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 7dee8f3d296c..62ceb2dfb9be 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -82,7 +82,10 @@ let
 
   seccompPatch = let
     pre22 = versionOlder sourceInfo.version "22.0.0.0";
-  in if pre22 then ./enable_seccomp.patch else ./enable_seccomp22.patch;
+    pre23 = versionOlder sourceInfo.version "23.0.0.0";
+  in if pre22 then ./enable_seccomp.patch
+     else if pre23 then ./enable_seccomp22.patch
+     else ./enable_seccomp23.patch;
 
 in stdenv.mkDerivation rec {
   name = "${packageName}-${version}";
diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch
new file mode 100644
index 000000000000..bde476adbfd5
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp23.patch
@@ -0,0 +1,18 @@
+diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
+index ad73fe6..ee3e6e6 100644
+--- a/content/common/sandbox_linux.cc
++++ b/content/common/sandbox_linux.cc
+@@ -42,13 +42,8 @@ bool IsSeccompLegacyDesired() {
+     return false;
+   }
+ #if defined(SECCOMP_SANDBOX)
+-#if defined(NDEBUG)
+-  // Off by default. Allow turning on with a switch.
+-  return command_line->HasSwitch(switches::kEnableSeccompSandbox);
+-#else
+   // On by default. Allow turning off with a switch.
+   return !command_line->HasSwitch(switches::kDisableSeccompSandbox);
+-#endif  // NDEBUG
+ #endif  // SECCOMP_SANDBOX
+   return false;
+ }