diff options
author | obadz <obadz-git@obadz.com> | 2016-08-06 09:13:20 +0100 |
---|---|---|
committer | obadz <obadz-git@obadz.com> | 2016-08-06 10:27:47 +0100 |
commit | 66d5edf654c6c98e3835dbee4f208794fc03c81d (patch) | |
tree | 5d10a31b734a3870a09ae060d573d3e55127241d /pkgs/applications/networking | |
parent | 41b8c6d5a9523598d33e81e0ce7a70d02d748bb3 (diff) |
chromium: add nixos module security.chromiumSuidSandbox
Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasom
Diffstat (limited to 'pkgs/applications/networking')
-rw-r--r-- | pkgs/applications/networking/browsers/chromium/common.nix | 4 | ||||
-rw-r--r-- | pkgs/applications/networking/browsers/chromium/default.nix | 34 |
2 files changed, 35 insertions, 3 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index 2c70978a4962e..119a8c16f15cb 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -96,6 +96,8 @@ let buildPath = "out/${buildType}"; libExecPath = "$out/libexec/${packageName}"; + sandboxExecutableName = "__chromium-suid-sandbox"; + base = rec { name = "${packageName}-${version}"; inherit (upstream-info) version; @@ -221,6 +223,8 @@ let targets = extraAttrs.buildTargets or []; commands = map buildCommand targets; in concatStringsSep "\n" commands; + + passthru = { inherit sandboxExecutableName; }; }; # Remove some extraAttrs we supplied to the base attributes already. diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index a7447db7c220c..8b4cb00a77869 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -1,4 +1,4 @@ -{ newScope, stdenv, makeWrapper, makeDesktopItem +{ newScope, stdenv, makeWrapper, makeDesktopItem, writeScript # package customization , channel ? "stable" @@ -61,22 +61,49 @@ let suffix = if channel != "stable" then "-" + channel else ""; + sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName; + in stdenv.mkDerivation { name = "chromium${suffix}-${chromium.browser.version}"; buildInputs = [ makeWrapper ]; + outputs = ["out" "sandbox"]; + buildCommand = let browserBinary = "${chromium.browser}/libexec/chromium/chromium"; getWrapperFlags = plugin: "$(< \"${plugin}/nix-support/wrapper-flags\")"; + sandboxExecutableSourcePath = "${chromium.browser}/libexec/chromium/chrome-sandbox"; + launchScript = writeScript "chromium" '' + #! ${stdenv.shell} + + if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ] + then + export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}" + else + export CHROME_DEVEL_SANDBOX="@sandbox@/bin/${sandboxExecutableName}" + fi + + # libredirect causes chromium to deadlock on startup + export LD_PRELOAD="$(echo -n "$LD_PRELOAD" | tr ':' '\n' | grep -v /lib/libredirect\\.so$ | tr '\n' ':')" + + exec @out@/bin/.chromium-wrapped "''${extraFlagsArray[@]}" "$@" + ''; in with stdenv.lib; '' mkdir -p "$out/bin" "$out/share/applications" ln -s "${chromium.browser}/share" "$out/share" - eval makeWrapper "${browserBinary}" "$out/bin/chromium" \ - --set CHROME_DEVEL_SANDBOX "${chromium.browser}/libexec/chromium/chrome-sandbox" \ + eval makeWrapper "${browserBinary}" "$out/bin/.chromium-wrapped" \ ${concatMapStringsSep " " getWrapperFlags chromium.plugins.enabled} + cp -v "${launchScript}" "$out/bin/chromium" + substituteInPlace $out/bin/chromium --replace @out@ $out --replace @sandbox@ $sandbox + chmod 755 "$out/bin/chromium" + + mkdir -p "$sandbox/bin" + [ -x "${sandboxExecutableSourcePath}" ] || exit 1 + ln -sv "${sandboxExecutableSourcePath}" "$sandbox/bin/${sandboxExecutableName}" + ln -s "$out/bin/chromium" "$out/bin/chromium-browser" ln -s "${chromium.browser}/share/icons" "$out/share/icons" cp -v "${desktopItem}/share/applications/"* "$out/share/applications" @@ -87,5 +114,6 @@ in stdenv.mkDerivation { passthru = { inherit (chromium) upstream-info; mkDerivation = chromium.mkChromiumDerivation; + inherit sandboxExecutableName; }; } |