mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-25 20:34:52 +03:00
chromium: Drop obsolete pre-v23 seccomp patch.
The patch is no longer needed, as we are now using the BPF seccomp sandbox. Unfortunately this is not marked "adequately sandboxed" in chrome://sandbox, as it awaits security review on http://crbug.com/26528. Unfortunately this gets us into a position where we can't be sure if the sandbox is working correctly, especially because the non-BPF seccomp sandbox has a bunch of stability issues and is marked legacy. And we definitely don't want to add support for the setuid sandbox, do we? Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
d5c639cb55
commit
af8f08d638
@ -84,10 +84,6 @@ let
|
||||
libusb1 libexif
|
||||
];
|
||||
|
||||
maybeSeccompPatch = let
|
||||
pre23 = versionOlder sourceInfo.version "23.0.0.0";
|
||||
in optional pre23 ./enable_seccomp.patch;
|
||||
|
||||
maybeFixPulseAudioBuild = let
|
||||
post23 = !versionOlder sourceInfo.version "24.0.0.0";
|
||||
in optional (post23 && cfg.pulseaudio) (fetchurl {
|
||||
@ -128,7 +124,6 @@ in stdenv.mkDerivation rec {
|
||||
|
||||
patches = optional cfg.cups ./cups_allow_deprecated.patch
|
||||
++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch
|
||||
++ maybeSeccompPatch
|
||||
++ maybeFixPulseAudioBuild;
|
||||
|
||||
postPatch = optionalString cfg.openssl ''
|
||||
|
@ -1,20 +0,0 @@
|
||||
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
|
||||
index d4618e5..108f846 100644
|
||||
--- a/content/common/sandbox_linux.cc
|
||||
+++ b/content/common/sandbox_linux.cc
|
||||
@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
|
||||
// Implement the command line enabling logic for seccomp-legacy.
|
||||
bool IsSeccompLegacyDesired() {
|
||||
#if defined(SECCOMP_SANDBOX)
|
||||
-#if defined(NDEBUG)
|
||||
- // Off by default; allow turning on with a switch.
|
||||
- return CommandLine::ForCurrentProcess()->HasSwitch(
|
||||
- switches::kEnableSeccompSandbox);
|
||||
-#else
|
||||
// On by default; allow turning off with a switch.
|
||||
return !CommandLine::ForCurrentProcess()->HasSwitch(
|
||||
switches::kDisableSeccompSandbox);
|
||||
-#endif // NDEBUG
|
||||
#endif // SECCOMP_SANDBOX
|
||||
return false;
|
||||
}
|
Loading…
Reference in New Issue
Block a user