chromium: add ability to control which sandbox is used
First step towards addressing #17460 In order to be able to run the SUID sandbox, which is good for security and required to run Chromium with any kind of reasonable sandboxing when using grsecurity kernels, we want to be able to control where the sandbox comes from in the Chromium wrapper. This commit patches the appropriate bit of source and adds the same old sandbox to the wrapper (so it should be a no-op)
This commit is contained in:
parent
672447f1ad
commit
33557acb36
@ -134,6 +134,12 @@ let
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
# We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
|
||||
substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
|
||||
--replace \
|
||||
'std::string sandbox_binary(GetSandboxBinaryPath().value());' \
|
||||
'std::string sandbox_binary(GetDevelSandboxPath());'
|
||||
|
||||
sed -i -r \
|
||||
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
|
||||
-e 's|/bin/echo|echo|' \
|
||||
|
@ -74,6 +74,7 @@ in stdenv.mkDerivation {
|
||||
|
||||
ln -s "${chromium.browser}/share" "$out/share"
|
||||
eval makeWrapper "${browserBinary}" "$out/bin/chromium" \
|
||||
--set CHROME_DEVEL_SANDBOX "${chromium.browser}/libexec/chromium/chrome-sandbox" \
|
||||
${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled}
|
||||
|
||||
ln -s "$out/bin/chromium" "$out/bin/chromium-browser"
|
||||
|
Loading…
Reference in New Issue
Block a user