1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-23 22:20:51 +00:00
nixpkgs/pkgs/applications/networking
aszlig c06c636604
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.

The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.

An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.

Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).

In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.

See SVN revision 199882 for the change (revert in this case) in detail:

http://src.chromium.org/viewvc/chrome?view=revision&revision=199882

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-16 21:03:07 +02:00
..
bittorrentsync btsync: unredistributable 2013-05-13 00:05:06 +02:00
browsers chromium: Add patch for user namespace sandboxing. 2013-05-16 21:03:07 +02:00
cluster hadoop: update to version 2.0.2-alpha 2012-10-26 11:10:13 +02:00
dropbox dropbox: add x86 support 2013-03-26 16:39:03 +01:00
dropbox-cli Fix platform note in dropbox-cli 2013-03-27 20:56:46 +01:00
esniper esniper: update to version 2.28.0 2012-10-26 10:32:23 +02:00
ftp/filezilla filezilla: strip trailing whitespace 2013-04-26 22:40:40 +02:00
instant-messengers hipchat: Fix desktop item 2013-05-14 14:30:15 +02:00
iptraf get iptraf to compile 2013-03-24 14:44:10 +01:00
irc irssi-otr: updating to a fork more up to date 2013-04-13 18:27:47 +02:00
mailreaders notmuch: patch source to use full path of gpg2 2013-04-22 10:39:48 +02:00
msmtp msmtp: Update to 1.4.30, added optional libraries as dependency and point to correct license 2013-03-10 21:17:17 +01:00
mumble Updating mumble to 1.2.3 and adding pkgconfig as an input as it fails to build without it. 2012-03-16 19:19:00 +00:00
netperf netperf: update to version 2.6.0 2012-08-10 11:56:22 +02:00
newsreaders pan: Updated to 0.139 2012-07-11 17:05:13 -04:00
offrss offrss: fixing crossbuilding, disabling podofo in that case 2013-04-10 18:26:42 +02:00
p2p Fixing the startup script of freenet; I forgot the shebang 2013-04-21 10:59:20 +04:00
pjsip * "ensureDir" -> "mkdir -p". "ensureDir" is a rather pointless 2012-01-18 20:16:00 +00:00
remote Fixing the teamviewer evaluation and builds. 2013-03-22 16:16:37 +01:00
siproxd Adding siproxd 2011-01-16 11:41:19 +00:00
sniffers wireshark: update homepage URL 2013-05-11 20:31:24 +02:00
sync rsync: add meta.license attribute 2013-03-25 12:44:22 +01:00
umurmur Adding umurmur and protobuf-c. 2012-09-25 19:35:03 +02:00
vnstat vnstat: upgrade to 1.11 2012-09-02 11:57:49 +02:00
yafc yafc: update to 1.2.3 2012-09-06 17:31:40 +02:00