66d5edf654
Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom
29 lines
888 B
Nix
29 lines
888 B
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.security.chromiumSuidSandbox;
|
|
sandbox = pkgs.chromium.sandbox;
|
|
in
|
|
{
|
|
options.security.chromiumSuidSandbox.enable = mkEnableOption ''
|
|
Whether to install the Chromium SUID sandbox which is an executable that
|
|
Chromium may use in order to achieve sandboxing.
|
|
|
|
If you get the error "The SUID sandbox helper binary was found, but is not
|
|
configured correctly.", turning this on might help.
|
|
|
|
Also, if the URL chrome://sandbox tells you that "You are not adequately
|
|
sandboxed!", turning this on might resolve the issue.
|
|
|
|
Finally, if you have <option>security.grsecurity</option> enabled and you
|
|
use Chromium, you probably need this.
|
|
'';
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ sandbox ];
|
|
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
|
|
};
|
|
}
|