chromium: Enable seccomp by default.

If useSELinux is not set, enable seccomp mode by default and avoid building the
SUID helper sandbox at all. This involves a small patch which causes the
commandline arguments to be swapped: --disable-seccomp-sandbox to disable it,
while the option is active by default.
This commit is contained in:
aszlig 2012-06-15 11:07:30 +02:00 committed by Eelco Dolstra
parent 2571488e6a
commit ef45195126
2 changed files with 24 additions and 1 deletions

View File

@ -47,12 +47,15 @@ in stdenv.mkDerivation rec {
prePatch = "patchShebangs .";
patches = stdenv.lib.optional (!useSELinux) ./enable_seccomp.patch;
gypFlags = mkGypFlags ({
linux_use_gold_binary = false;
linux_use_gold_flags = false;
proprietary_codecs = false;
use_gnome_keyring = gnomeKeyringSupport;
disable_nacl = !naclSupport;
selinux = useSELinux;
use_cups = false;
} // stdenv.lib.optionalAttrs (stdenv.system == "x86_64-linux") {
target_arch = "x64";
@ -95,7 +98,7 @@ in stdenv.mkDerivation rec {
in "CC=\"${CC}\" CXX=\"${CXX}\" CC.host=\"${CC}\" CXX.host=\"${CXX}\" LINK.host=\"${CXX}\"";
buildPhase = ''
make ${extraBuildFlags} BUILDTYPE=${buildType} library=shared_library chrome chrome_sandbox
make ${extraBuildFlags} BUILDTYPE=${buildType} library=shared_library chrome
'';
installPhase = ''

View File

@ -0,0 +1,20 @@
diff --git a/content/common/seccomp_sandbox.h b/content/common/seccomp_sandbox.h
index a07d6f3..a622a35 100644
--- a/content/common/seccomp_sandbox.h
+++ b/content/common/seccomp_sandbox.h
@@ -29,15 +29,9 @@ static bool SeccompSandboxEnabled() {
// TODO(evan): turn on for release too once we've flushed out all the bugs,
// allowing us to delete this file entirely and just rely on the "disabled"
// switch.
-#ifdef NDEBUG
- // Off by default; allow turning on with a switch.
- return CommandLine::ForCurrentProcess()->HasSwitch(
- switches::kEnableSeccompSandbox);
-#else
// On by default; allow turning off with a switch.
return !CommandLine::ForCurrentProcess()->HasSwitch(
switches::kDisableSeccompSandbox);
-#endif // NDEBUG
}
#endif // SECCOMP_SANDBOX