chromium: Drop obsolete pre-v23 seccomp patch.

The patch is no longer needed, as we are now using the BPF seccomp sandbox. Unfortunately this is not marked "adequately sandboxed" in chrome://sandbox, as it awaits security review on http://crbug.com/26528. Unfortunately this gets us into a position where we can't be sure if the sandbox is working correctly, especially because the non-BPF seccomp sandbox has a bunch of stability issues and is marked legacy. And we definitely don't want to add support for the setuid sandbox, do we? Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2024-10-01 18:17:21 +03:00 · 2012-11-20 00:32:45 +01:00 · 2012-11-20 00:32:45 +01:00 · af8f08d638
commit af8f08d638
parent d5c639cb55
2 changed files with 0 additions and 25 deletions
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -84,10 +84,6 @@ let
    libusb1 libexif
  ];

-  maybeSeccompPatch = let
-    pre23 = versionOlder sourceInfo.version "23.0.0.0";
-  in optional pre23 ./enable_seccomp.patch;
-
  maybeFixPulseAudioBuild = let
    post23 = !versionOlder sourceInfo.version "24.0.0.0";
  in optional (post23 && cfg.pulseaudio) (fetchurl {
@ -128,7 +124,6 @@ in stdenv.mkDerivation rec {

  patches = optional cfg.cups ./cups_allow_deprecated.patch
         ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch
-         ++ maybeSeccompPatch
         ++ maybeFixPulseAudioBuild;

  postPatch = optionalString cfg.openssl ''
--- a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
@ -1,20 +0,0 @@
-diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
-index d4618e5..108f846 100644
--- a/content/common/sandbox_linux.cc
-+++ b/content/common/sandbox_linux.cc
-@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
- // Implement the command line enabling logic for seccomp-legacy.
- bool IsSeccompLegacyDesired() {
- #if defined(SECCOMP_SANDBOX)
-#if defined(NDEBUG)
-  // Off by default; allow turning on with a switch.
-  return CommandLine::ForCurrentProcess()->HasSwitch(
-      switches::kEnableSeccompSandbox);
-#else
-   // On by default; allow turning off with a switch.
-   return !CommandLine::ForCurrentProcess()->HasSwitch(
-       switches::kDisableSeccompSandbox);
-#endif  // NDEBUG
- #endif  // SECCOMP_SANDBOX
-   return false;
- }