pyrox.dev
chromium: add ability to control which sandbox is used
First step towards addressing #17460
In order to be able to run the SUID sandbox, which is good for security
and required to run Chromium with any kind of reasonable sandboxing when
using grsecurity kernels, we want to be able to control where the
sandbox comes from in the Chromium wrapper. This commit patches the
appropriate bit of source and adds the same old sandbox to the wrapper
(so it should be a no-op)
+6
pkgs/applications/networking/browsers/chromium/common.nix
+6
pkgs/applications/networking/browsers/chromium/common.nix
···
134
134
];
135
135
136
136
postPatch = ''
137
+
# We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
138
+
substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
139
+
--replace \
140
+
'std::string sandbox_binary(GetSandboxBinaryPath().value());' \
141
+
'std::string sandbox_binary(GetDevelSandboxPath());'
142
+
137
143
sed -i -r \
138
144
-e 's/-f(stack-protector)(-all)?/-fno-\1/' \
139
145
-e 's|/bin/echo|echo|' \
+1
pkgs/applications/networking/browsers/chromium/default.nix
+1
pkgs/applications/networking/browsers/chromium/default.nix
···
74
74
75
75
ln -s "${chromium.browser}/share" "$out/share"
76
76
eval makeWrapper "${browserBinary}" "$out/bin/chromium" \
77
+
--set CHROME_DEVEL_SANDBOX "${chromium.browser}/libexec/chromium/chrome-sandbox" \
77
78
${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled}
78
79
79
80
ln -s "$out/bin/chromium" "$out/bin/chromium-browser"