diff options
| author | obadz <obadz-git@obadz.com> | 2016-08-04 20:26:05 +0100 |
|---|---|---|
| committer | obadz <obadz-git@obadz.com> | 2016-08-04 20:37:35 +0100 |
| commit | 33557acb36ffb60317775ab7fdb3451a47b69d62 (patch) | |
| tree | 66fe8ae76c7b927d43946f719108b8bacbe64e4e /pkgs/applications/networking/browsers/chromium | |
| parent | 672447f1ada85a38f1b1f7d909d72977658abcb4 (diff) | |
| download | nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar.gz nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar.bz2 nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar.lz nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar.xz nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.tar.zst nixlib-33557acb36ffb60317775ab7fdb3451a47b69d62.zip | |
chromium: add ability to control which sandbox is used
First step towards addressing #17460 In order to be able to run the SUID sandbox, which is good for security and required to run Chromium with any kind of reasonable sandboxing when using grsecurity kernels, we want to be able to control where the sandbox comes from in the Chromium wrapper. This commit patches the appropriate bit of source and adds the same old sandbox to the wrapper (so it should be a no-op)
Diffstat (limited to 'pkgs/applications/networking/browsers/chromium')
| -rw-r--r-- | pkgs/applications/networking/browsers/chromium/common.nix | 6 | ||||
| -rw-r--r-- | pkgs/applications/networking/browsers/chromium/default.nix | 1 |
2 files changed, 7 insertions, 0 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index 997551f3fae2..46734e3ab072 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -134,6 +134,12 @@ let ]; postPatch = '' + # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX + substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \ + --replace \ + 'std::string sandbox_binary(GetSandboxBinaryPath().value());' \ + 'std::string sandbox_binary(GetDevelSandboxPath());' + sed -i -r \ -e 's/-f(stack-protector)(-all)?/-fno-\1/' \ -e 's|/bin/echo|echo|' \ diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 51493fb46557..a7447db7c220 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -74,6 +74,7 @@ in stdenv.mkDerivation { ln -s "${chromium.browser}/share" "$out/share" eval makeWrapper "${browserBinary}" "$out/bin/chromium" \ + --set CHROME_DEVEL_SANDBOX "${chromium.browser}/libexec/chromium/chrome-sandbox" \ ${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled} ln -s "$out/bin/chromium" "$out/bin/chromium-browser" |