mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-23 14:11:36 +00:00
chromium: Update all channels to latest versions.
This introduces version 31.0.1650.57 as the new version for the stable channel. Overview of the updated channels: stable: 30.0.1599.114 -> 31.0.1650.57 beta: 31.0.1650.34 -> 32.0.1700.19 dev: 32.0.1671.3 -> 33.0.1712.4 This drops the sandbox_userns_30.patch as version 30 is no longer stable. In addition, we had to patch out some references to /usr/bin/gcc in the bundled WebKit sources. Builds are passing and running fine. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
d809fd135f
commit
da62e513e7
|
@ -46,16 +46,17 @@ let
|
|||
|
||||
prePatch = "patchShebangs .";
|
||||
|
||||
patches = singleton (
|
||||
if versionOlder version "31.0.0.0"
|
||||
then ./sandbox_userns_30.patch
|
||||
else ./sandbox_userns_31.patch
|
||||
);
|
||||
patches = singleton ./sandbox_userns_31.patch;
|
||||
|
||||
postPatch = ''
|
||||
sed -i -r -e 's/-f(stack-protector)(-all)?/-fno-\1/' build/common.gypi
|
||||
'' + (if versionOlder version "32.0.0.0" then ''
|
||||
sed -i -e 's|/usr/bin/gcc|gcc|' third_party/WebKit/Source/core/core.gypi
|
||||
'' + optionalString useOpenSSL ''
|
||||
'' else ''
|
||||
sed -i -e 's|/usr/bin/gcc|gcc|' \
|
||||
third_party/WebKit/Source/build/scripts/scripts.gypi \
|
||||
third_party/WebKit/Source/build/scripts/preprocessor.pm
|
||||
'') + optionalString useOpenSSL ''
|
||||
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
|
||||
'';
|
||||
|
||||
|
|
|
@ -1,293 +0,0 @@
|
|||
commit 41510de6ae32e6161073992bd1243f7f33148a06
|
||||
Author: aszlig <aszlig@redmoonstudios.org>
|
||||
Date: Thu May 16 14:17:56 2013 +0200
|
||||
|
||||
zygote: Add support for user namespaces on Linux.
|
||||
|
||||
The implementation is done by patching the Zygote host to execute the sandbox
|
||||
binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child
|
||||
process is using uid 0 and gid 0 which map to the current user of the parent.
|
||||
Afterwards, the sandbox will continue as if it was called as a setuid binary.
|
||||
|
||||
In addition, this adds new_user_namespace as an option in process_util in order
|
||||
to set the UID and GID mapping correctly. The reason for this is that just
|
||||
passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because
|
||||
without setting the mappings exec*() will clear the process's capability sets.
|
||||
|
||||
If the kernel doesn't support unprivileged user namespaces and the sandbox
|
||||
binary doesn't have the setuid flag, the Zygote main process will run without a
|
||||
sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set.
|
||||
|
||||
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
||||
|
||||
diff --git a/base/process/launch.h b/base/process/launch.h
|
||||
index 45b1053..ce71418 100644
|
||||
--- a/base/process/launch.h
|
||||
+++ b/base/process/launch.h
|
||||
@@ -51,6 +51,7 @@ struct LaunchOptions {
|
||||
new_process_group(false)
|
||||
#if defined(OS_LINUX)
|
||||
, clone_flags(0)
|
||||
+ , new_user_namespace(false)
|
||||
#endif // OS_LINUX
|
||||
#if defined(OS_CHROMEOS)
|
||||
, ctrl_terminal_fd(-1)
|
||||
@@ -125,6 +126,9 @@ struct LaunchOptions {
|
||||
#if defined(OS_LINUX)
|
||||
// If non-zero, start the process using clone(), using flags as provided.
|
||||
int clone_flags;
|
||||
+
|
||||
+ // If true, start the process in a new user namespace.
|
||||
+ bool new_user_namespace;
|
||||
#endif // defined(OS_LINUX)
|
||||
|
||||
#if defined(OS_CHROMEOS)
|
||||
diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc
|
||||
index 52e149c..312f835 100644
|
||||
--- a/base/process/launch_posix.cc
|
||||
+++ b/base/process/launch_posix.cc
|
||||
@@ -37,6 +37,13 @@
|
||||
#include "base/threading/platform_thread.h"
|
||||
#include "base/threading/thread_restrictions.h"
|
||||
|
||||
+#if defined(OS_LINUX)
|
||||
+#include <sched.h>
|
||||
+#if !defined(CLONE_NEWUSER)
|
||||
+#define CLONE_NEWUSER 0x10000000
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#if defined(OS_CHROMEOS)
|
||||
#include <sys/ioctl.h>
|
||||
#endif
|
||||
@@ -416,13 +423,23 @@ bool LaunchProcess(const std::vector<std::string>& argv,
|
||||
|
||||
pid_t pid;
|
||||
#if defined(OS_LINUX)
|
||||
- if (options.clone_flags) {
|
||||
+ int map_pipe_fd[2];
|
||||
+ int flags = options.clone_flags;
|
||||
+
|
||||
+ if (options.new_user_namespace) {
|
||||
+ flags |= CLONE_NEWUSER;
|
||||
+ if (pipe(map_pipe_fd) < 0) {
|
||||
+ DPLOG(ERROR) << "user namespace pipe";
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (options.clone_flags || options.new_user_namespace) {
|
||||
// Signal handling in this function assumes the creation of a new
|
||||
// process, so we check that a thread is not being created by mistake
|
||||
// and that signal handling follows the process-creation rules.
|
||||
- RAW_CHECK(
|
||||
- !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
|
||||
- pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
|
||||
+ RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
|
||||
+ pid = syscall(__NR_clone, flags, 0, 0, 0);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
@@ -440,6 +457,21 @@ bool LaunchProcess(const std::vector<std::string>& argv,
|
||||
} else if (pid == 0) {
|
||||
// Child process
|
||||
|
||||
+#if defined(OS_LINUX)
|
||||
+ if (options.new_user_namespace) {
|
||||
+ // Close the write end of the pipe so we get an EOF when the parent closes
|
||||
+ // the FD. This is to avoid race conditions when the UID/GID mappings are
|
||||
+ // written _after_ execvp().
|
||||
+ close(map_pipe_fd[1]);
|
||||
+
|
||||
+ char dummy;
|
||||
+ if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) {
|
||||
+ RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe.");
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
// DANGER: fork() rule: in the child, if you don't end up doing exec*(),
|
||||
// you call _exit() instead of exit(). This is because _exit() does not
|
||||
// call any previously-registered (in the parent) exit handlers, which
|
||||
@@ -555,6 +587,40 @@ bool LaunchProcess(const std::vector<std::string>& argv,
|
||||
_exit(127);
|
||||
} else {
|
||||
// Parent process
|
||||
+#if defined(OS_LINUX)
|
||||
+ if (options.new_user_namespace) {
|
||||
+ // We need to write UID/GID mapping here to map the current user outside
|
||||
+ // the namespace to the root user inside the namespace in order to
|
||||
+ // correctly "fool" the child process.
|
||||
+ char buf[256];
|
||||
+ int map_fd, map_len;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid);
|
||||
+ map_fd = open(buf, O_RDWR);
|
||||
+ DPCHECK(map_fd >= 0);
|
||||
+ snprintf(buf, sizeof(buf), "0 %d 1", geteuid());
|
||||
+ map_len = strlen(buf);
|
||||
+ if (write(map_fd, buf, map_len) != map_len) {
|
||||
+ RAW_LOG(WARNING, "Can't write to uid_map.");
|
||||
+ }
|
||||
+ close(map_fd);
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid);
|
||||
+ map_fd = open(buf, O_RDWR);
|
||||
+ DPCHECK(map_fd >= 0);
|
||||
+ snprintf(buf, sizeof(buf), "0 %d 1", getegid());
|
||||
+ map_len = strlen(buf);
|
||||
+ if (write(map_fd, buf, map_len) != map_len) {
|
||||
+ RAW_LOG(WARNING, "Can't write to gid_map.");
|
||||
+ }
|
||||
+ close(map_fd);
|
||||
+
|
||||
+ // Close the pipe on the parent, so the child can continue doing the
|
||||
+ // execvp() call.
|
||||
+ close(map_pipe_fd[1]);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (options.wait) {
|
||||
// While this isn't strictly disk IO, waiting for another process to
|
||||
// finish is the sort of thing ThreadRestrictions is trying to prevent.
|
||||
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
||||
index bb84e62..bce0d18 100644
|
||||
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
|
||||
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
|
||||
@@ -119,25 +119,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
|
||||
|
||||
sandbox_binary_ = sandbox_cmd.c_str();
|
||||
|
||||
- // A non empty sandbox_cmd means we want a SUID sandbox.
|
||||
- using_suid_sandbox_ = !sandbox_cmd.empty();
|
||||
+ bool userns_sandbox = false;
|
||||
+ const std::vector<std::string> cmd_line_unwrapped(cmd_line.argv());
|
||||
|
||||
- if (using_suid_sandbox_) {
|
||||
+ if (!sandbox_cmd.empty()) {
|
||||
struct stat st;
|
||||
if (stat(sandbox_binary_.c_str(), &st) != 0) {
|
||||
LOG(FATAL) << "The SUID sandbox helper binary is missing: "
|
||||
<< sandbox_binary_ << " Aborting now.";
|
||||
}
|
||||
|
||||
- if (access(sandbox_binary_.c_str(), X_OK) == 0 &&
|
||||
- (st.st_uid == 0) &&
|
||||
- (st.st_mode & S_ISUID) &&
|
||||
- (st.st_mode & S_IXOTH)) {
|
||||
+ if (access(sandbox_binary_.c_str(), X_OK) == 0) {
|
||||
+ using_suid_sandbox_ = true;
|
||||
+
|
||||
cmd_line.PrependWrapper(sandbox_binary_);
|
||||
|
||||
scoped_ptr<sandbox::SetuidSandboxClient>
|
||||
sandbox_client(sandbox::SetuidSandboxClient::Create());
|
||||
sandbox_client->SetupLaunchEnvironment();
|
||||
+
|
||||
+ if (!((st.st_uid == 0) &&
|
||||
+ (st.st_mode & S_ISUID) &&
|
||||
+ (st.st_mode & S_IXOTH))) {
|
||||
+ userns_sandbox = true;
|
||||
+ sandbox_client->SetNoSuid();
|
||||
+ }
|
||||
} else {
|
||||
LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
|
||||
"configured correctly. Rather than run without sandboxing "
|
||||
@@ -161,7 +167,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
|
||||
base::ProcessHandle process = -1;
|
||||
base::LaunchOptions options;
|
||||
options.fds_to_remap = &fds_to_map;
|
||||
+ if (userns_sandbox)
|
||||
+ options.new_user_namespace = true;
|
||||
base::LaunchProcess(cmd_line.argv(), options, &process);
|
||||
+
|
||||
+ if (process == -1 && userns_sandbox) {
|
||||
+ LOG(ERROR) << "User namespace sandbox failed to start, running without "
|
||||
+ << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS "
|
||||
+ << "enabled in order to use the sandbox without setuid bit.";
|
||||
+ using_suid_sandbox_ = false;
|
||||
+ options.new_user_namespace = false;
|
||||
+ base::LaunchProcess(cmd_line_unwrapped, options, &process);
|
||||
+ }
|
||||
+
|
||||
CHECK(process != -1) << "Failed to launch zygote process";
|
||||
|
||||
if (using_suid_sandbox_) {
|
||||
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
|
||||
index 1f0e9f5..ade5aab 100644
|
||||
--- a/content/zygote/zygote_main_linux.cc
|
||||
+++ b/content/zygote/zygote_main_linux.cc
|
||||
@@ -420,6 +420,13 @@ static bool EnterSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
|
||||
*has_started_new_init = true;
|
||||
}
|
||||
|
||||
+ // Don't set non-dumpable, as it causes trouble when the host tries to find
|
||||
+ // the zygote process (XXX: Not quite sure why this happens with user
|
||||
+ // namespaces). Fortunately, we also have the seccomp filter sandbox which
|
||||
+ // should disallow the use of ptrace.
|
||||
+ if (setuid_sandbox->IsNoSuid())
|
||||
+ return true;
|
||||
+
|
||||
#if !defined(OS_OPENBSD)
|
||||
// Previously, we required that the binary be non-readable. This causes the
|
||||
// kernel to mark the process as non-dumpable at startup. The thinking was
|
||||
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc
|
||||
index 34231d4..36e3201 100644
|
||||
--- a/sandbox/linux/suid/client/setuid_sandbox_client.cc
|
||||
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc
|
||||
@@ -166,6 +166,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const {
|
||||
return env_->HasVar(kSandboxNETNSEnvironmentVarName);
|
||||
}
|
||||
|
||||
+bool SetuidSandboxClient::IsNoSuid() const {
|
||||
+ return env_->HasVar(kSandboxNoSuidVarName);
|
||||
+}
|
||||
+
|
||||
bool SetuidSandboxClient::IsSandboxed() const {
|
||||
return sandboxed_;
|
||||
}
|
||||
@@ -175,5 +179,9 @@ void SetuidSandboxClient::SetupLaunchEnvironment() {
|
||||
SetSandboxAPIEnvironmentVariable(env_);
|
||||
}
|
||||
|
||||
+void SetuidSandboxClient::SetNoSuid() {
|
||||
+ env_->SetVar(kSandboxNoSuidVarName, "1");
|
||||
+}
|
||||
+
|
||||
} // namespace sandbox
|
||||
|
||||
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
|
||||
index a9f6536..2e8113a 100644
|
||||
--- a/sandbox/linux/suid/client/setuid_sandbox_client.h
|
||||
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
|
||||
@@ -39,6 +39,8 @@ class SetuidSandboxClient {
|
||||
bool IsInNewPIDNamespace() const;
|
||||
// Did the setuid helper create a new network namespace ?
|
||||
bool IsInNewNETNamespace() const;
|
||||
+ // Is sandboxed without SUID binary ?
|
||||
+ bool IsNoSuid() const;
|
||||
// Are we done and fully sandboxed ?
|
||||
bool IsSandboxed() const;
|
||||
|
||||
@@ -46,6 +48,8 @@ class SetuidSandboxClient {
|
||||
// helper.
|
||||
void SetupLaunchEnvironment();
|
||||
|
||||
+ void SetNoSuid();
|
||||
+
|
||||
private:
|
||||
// Holds the environment. Will never be NULL.
|
||||
base::Environment* env_;
|
||||
diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h
|
||||
index aad4ff8..bd710d5 100644
|
||||
--- a/sandbox/linux/suid/common/sandbox.h
|
||||
+++ b/sandbox/linux/suid/common/sandbox.h
|
||||
@@ -18,6 +18,7 @@ static const char kAdjustLowMemMarginSwitch[] = "--adjust-low-mem";
|
||||
|
||||
static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D";
|
||||
static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID";
|
||||
+static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID";
|
||||
|
||||
static const long kSUIDSandboxApiNumber = 1;
|
||||
static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ";
|
|
@ -1,18 +1,18 @@
|
|||
# This file is autogenerated from update.sh in the same directory.
|
||||
{
|
||||
dev = {
|
||||
version = "32.0.1671.3";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-32.0.1671.3.tar.xz";
|
||||
sha256 = "0bv86ig3mrd95zh78880bcyh9b8w46s7slxq3mwwmrmqp0s8qaq0";
|
||||
version = "33.0.1712.4";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-33.0.1712.4.tar.xz";
|
||||
sha256 = "1c1m0y3nnz2lclqi21j6hgqmb46p1hv7c22zz9fn7dax7jkimydk";
|
||||
};
|
||||
beta = {
|
||||
version = "31.0.1650.34";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-31.0.1650.34.tar.xz";
|
||||
sha256 = "0c73kvp09cmq4x42rcf45v0mnbyb8rcyi5i4pj0pvfn451vbngdq";
|
||||
version = "32.0.1700.19";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-32.0.1700.19.tar.xz";
|
||||
sha256 = "0d0kgy160pyg472ka43gxk7n09pqhhs9nd93jyxrp9qsyllfc425";
|
||||
};
|
||||
stable = {
|
||||
version = "30.0.1599.114";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-30.0.1599.114.tar.xz";
|
||||
sha256 = "0q5pq8bj4y0c7hd121db1fa9g3apkpkhb6cf14ag7abgrda2pzw2";
|
||||
version = "31.0.1650.57";
|
||||
url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-31.0.1650.57.tar.xz";
|
||||
sha256 = "1xv7frf47hhvqm6f3n2l308yfrs4d8ri70q6pndx7hslhyiixzl9";
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue