summary refs log tree commit diff
path: root/pkgs/applications/networking
diff options
context:
space:
mode:
authoraszlig <aszlig@redmoonstudios.org>2013-09-25 13:45:13 +0200
committeraszlig <aszlig@redmoonstudios.org>2013-09-27 15:23:30 +0200
commit45b69d6dba5a2c7d26072775dc9eee653f06aebc (patch)
tree8d1be889b358df0eb6e7dcab96b2e21f550bb49a /pkgs/applications/networking
parentc9614d2d056172d5ee4b10dda16bf37e1ee32dbf (diff)
downloadnixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar.gz
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar.bz2
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar.lz
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar.xz
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.tar.zst
nixlib-45b69d6dba5a2c7d26072775dc9eee653f06aebc.zip
chromium: Split sandbox off the main output path.
Now the chromium derivation produces an extra output path for the
sandbox in order to be properly used as a setuid wrapper in <nixos>
without the need to include the full Chromium package.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'pkgs/applications/networking')
-rw-r--r--pkgs/applications/networking/browsers/chromium/default.nix22
-rw-r--r--pkgs/applications/networking/browsers/chromium/sandbox.nix20
2 files changed, 36 insertions, 6 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 18fb7fefeffe..6b0d504f320e 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -81,11 +81,18 @@ let
     libusb1 libexif
   ];
 
+  sandbox = import ./sandbox.nix {
+    inherit stdenv;
+    src = src.sandbox;
+    binary = "${packageName}_sandbox";
+  };
+
   # build paths and release info
   packageName = "chromium";
   buildType = "Release";
   buildPath = "out/${buildType}";
   libExecPath = "$out/libexec/${packageName}";
+  sandboxPath = "${sandbox}/bin/${packageName}_sandbox";
 
   # user namespace sandbox patch
   userns_patch = if versionOlder sourceInfo.version "30.0.0.0"
@@ -137,7 +144,7 @@ in stdenv.mkDerivation rec {
   '' + optionalString (!versionOlder sourceInfo.version "30.0.0.0") ''
     sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
       sandbox_binary = \
-        base::FilePath("'"${libExecPath}/${packageName}_sandbox"'");
+        base::FilePath("'"${sandboxPath}"'");
     ' content/browser/browser_main_loop.cc
   '';
 
@@ -153,7 +160,7 @@ in stdenv.mkDerivation rec {
     use_openssl = useOpenSSL;
     selinux = enableSELinux;
     use_cups = cupsSupport;
-    linux_sandbox_path="${libExecPath}/${packageName}_sandbox";
+    linux_sandbox_path="${sandboxPath}";
     linux_sandbox_chrome_path="${libExecPath}/${packageName}";
     werror = "";
 
@@ -185,13 +192,13 @@ in stdenv.mkDerivation rec {
     CC="${CC}" CC_host="${CC}"     \
     CXX="${CXX}" CXX_host="${CXX}" \
     LINK_host="${CXX}"             \
-      "${ninja}/bin/ninja" -C "out/${buildType}" \
-        -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES    \
+      "${ninja}/bin/ninja" -C "${buildPath}"  \
+        -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
         chrome ${optionalString (!enableSELinux) "chrome_sandbox"}
   '';
 
   installPhase = ''
-    mkdir -vp "${libExecPath}"
+    ensureDir "${libExecPath}"
     cp -v "${buildPath}/"*.pak "${libExecPath}/"
     cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/"
     cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/"
@@ -200,7 +207,6 @@ in stdenv.mkDerivation rec {
 
     mkdir -vp "$out/bin"
     makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}"
-    cp -v "${buildPath}/chrome_sandbox" "${libExecPath}/${packageName}_sandbox"
 
     mkdir -vp "$out/share/man/man1"
     cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"
@@ -216,6 +222,10 @@ in stdenv.mkDerivation rec {
     done
   '';
 
+  passthru = {
+    inherit sandbox;
+  };
+
   meta = {
     description = "An open source web browser from Google";
     homepage = http://www.chromium.org/;
diff --git a/pkgs/applications/networking/browsers/chromium/sandbox.nix b/pkgs/applications/networking/browsers/chromium/sandbox.nix
new file mode 100644
index 000000000000..b43385e86338
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/sandbox.nix
@@ -0,0 +1,20 @@
+{ stdenv, src, binary }:
+
+stdenv.mkDerivation {
+  name = "chromium-sandbox-${src.version}";
+  inherit src;
+
+  patchPhase = ''
+    sed -i -e '/#include.*base_export/c \
+      #define BASE_EXPORT __attribute__((visibility("default")))
+    ' linux/suid/*.[hc]
+  '';
+
+  buildPhase = ''
+    gcc -Wall -std=gnu99 -o sandbox linux/suid/*.c
+  '';
+
+  installPhase = ''
+    install -svD sandbox "$out/bin/${binary}"
+  '';
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-19 23:02:19 +0000