diff options
author | aszlig <aszlig@redmoonstudios.org> | 2012-11-20 05:01:11 +0100 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2012-11-20 05:01:11 +0100 |
commit | ba238523938cb5c09df7d271ab5da8370e874f68 (patch) | |
tree | a1a7496d98f7f0066d500d383d15cddad2b78930 /pkgs | |
parent | 38153d91054c806d8312a39e6dce1a8b1a532837 (diff) | |
parent | a76e28b54c6a9d7c6600e3e0259070257a018700 (diff) | |
download | nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar.gz nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar.bz2 nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar.lz nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar.xz nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.tar.zst nixlib-ba238523938cb5c09df7d271ab5da8370e874f68.zip |
Merge branch 'chromium-update'.
Was about to open a new pull request about how to proceed with the BPF seccomp sandbox, but turns out that the Chromium security team not even has finished reviewing the legacy sandbox (http://crbug.com/26528, next time look at the date of the issue, shall we?), so it shouldn't make a big difference whether we enable the old seccomp sandbox or the new BPF one. Which of course won't make either of these options more secure and leaves us at the same state we had before, just with chrome://sandbox stating "NOT adequately sandboxed" which resembles the truth more closely.
Diffstat (limited to 'pkgs')
4 files changed, 16 insertions, 39 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index c8a470ce9da2..7d41f72df207 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -5,7 +5,7 @@ , libevent, expat, libjpeg , libpng, libxml2, libxslt , xdg_utils, yasm, zlib -, libusb1, libexif +, libusb1, libexif, pciutils , python, perl, pkgconfig , nspr, udev, krb5 @@ -84,13 +84,10 @@ let libusb1 libexif ]; - maybeSeccompPatch = let - pre23 = versionOlder sourceInfo.version "23.0.0.0"; - in optional pre23 ./enable_seccomp.patch; + post23 = !versionOlder sourceInfo.version "24.0.0.0"; + post24 = !versionOlder sourceInfo.version "25.0.0.0"; - maybeFixPulseAudioBuild = let - post23 = !versionOlder sourceInfo.version "24.0.0.0"; - in optional (post23 && cfg.pulseaudio) (fetchurl { + maybeFixPulseAudioBuild = optional (post23 && cfg.pulseaudio) (fetchurl { url = http://archrepo.jeago.com/sources/chromium-dev/pulse_audio_fix.patch; sha256 = "1w91mirrkqigdhsj892mqxlc0nlv1dsp5shc46w9xf8nl96jxgfb"; }); @@ -120,7 +117,8 @@ in stdenv.mkDerivation rec { ++ optionals cfg.gnome [ gconf libgcrypt ] ++ optional cfg.selinux libselinux ++ optional cfg.cups libgcrypt - ++ optional cfg.pulseaudio pulseaudio; + ++ optional cfg.pulseaudio pulseaudio + ++ optional post24 pciutils; opensslPatches = optional cfg.openssl openssl.patches; @@ -128,7 +126,6 @@ in stdenv.mkDerivation rec { patches = optional cfg.cups ./cups_allow_deprecated.patch ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch - ++ maybeSeccompPatch ++ maybeFixPulseAudioBuild; postPatch = optionalString cfg.openssl '' diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch deleted file mode 100644 index f947d796f186..000000000000 --- a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc -index d4618e5..108f846 100644 ---- a/content/common/sandbox_linux.cc -+++ b/content/common/sandbox_linux.cc -@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) { - // Implement the command line enabling logic for seccomp-legacy. - bool IsSeccompLegacyDesired() { - #if defined(SECCOMP_SANDBOX) --#if defined(NDEBUG) -- // Off by default; allow turning on with a switch. -- return CommandLine::ForCurrentProcess()->HasSwitch( -- switches::kEnableSeccompSandbox); --#else - // On by default; allow turning off with a switch. - return !CommandLine::ForCurrentProcess()->HasSwitch( - switches::kDisableSeccompSandbox); --#endif // NDEBUG - #endif // SECCOMP_SANDBOX - return false; - } diff --git a/pkgs/applications/networking/browsers/chromium/sources.nix b/pkgs/applications/networking/browsers/chromium/sources.nix index e829f00471cf..9b6616ec63c3 100644 --- a/pkgs/applications/networking/browsers/chromium/sources.nix +++ b/pkgs/applications/networking/browsers/chromium/sources.nix @@ -1,18 +1,18 @@ # This file is autogenerated from update.sh in the same directory. { dev = { - version = "24.0.1312.2"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.2.tar.bz2"; - sha256 = "155l6sm76cp2vzmm673dnb0vcz7akrz6xfp6jsmaa1175h0yal6h"; + version = "25.0.1323.1"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-25.0.1323.1.tar.bz2"; + sha256 = "1i7ga1qhnjvnw2gynmpmsvvl5pxcb5z9sgldp87d9yalim5sra6s"; }; beta = { - version = "23.0.1271.60"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.60.tar.bz2"; - sha256 = "1xsa27ay37jls9jiwqn7wfsc4ag02qd316gszb226hp2vhfv6pf2"; + version = "24.0.1312.14"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.14.tar.bz2"; + sha256 = "03w8cg4kqmpj82976ax9x6y275y9gcri4vc11cvfjp6r1issxzk8"; }; stable = { - version = "22.0.1229.94"; - url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-22.0.1229.94.tar.bz2"; - sha256 = "1bqwlgmn0dm1xvd6v52zf9gjmykgq4fnw7rancbplfpl3rl7xbx0"; + version = "23.0.1271.64"; + url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.64.tar.bz2"; + sha256 = "1rzz08sgw07nkmvhhgyrkrcxj3z24lxbx0di6ky6jz3lshibp578"; }; } diff --git a/pkgs/applications/networking/browsers/chromium/update.sh b/pkgs/applications/networking/browsers/chromium/update.sh index c978ee4adf3a..2d95d466b2a8 100755 --- a/pkgs/applications/networking/browsers/chromium/update.sh +++ b/pkgs/applications/networking/browsers/chromium/update.sh @@ -1,6 +1,6 @@ #!/bin/sh -channels_url="http://omahaproxy.appspot.com/"; +channels_url="http://omahaproxy.appspot.com/all?csv=1"; bucket_url="http://commondatastorage.googleapis.com/chromium-browser-official/"; output_file="$(cd "$(dirname "$0")" && pwd)/sources.nix"; |