From af8f08d63862d686697555b3759c9125956e97e6 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 20 Nov 2012 00:32:45 +0100 Subject: [PATCH] chromium: Drop obsolete pre-v23 seccomp patch. The patch is no longer needed, as we are now using the BPF seccomp sandbox. Unfortunately this is not marked "adequately sandboxed" in chrome://sandbox, as it awaits security review on http://crbug.com/26528. Unfortunately this gets us into a position where we can't be sure if the sandbox is working correctly, especially because the non-BPF seccomp sandbox has a bunch of stability issues and is marked legacy. And we definitely don't want to add support for the setuid sandbox, do we? Signed-off-by: aszlig --- .../networking/browsers/chromium/default.nix | 5 ----- .../browsers/chromium/enable_seccomp.patch | 20 ------------------- 2 files changed, 25 deletions(-) delete mode 100644 pkgs/applications/networking/browsers/chromium/enable_seccomp.patch diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index c8a470ce9da2..ec431108011c 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -84,10 +84,6 @@ let libusb1 libexif ]; - maybeSeccompPatch = let - pre23 = versionOlder sourceInfo.version "23.0.0.0"; - in optional pre23 ./enable_seccomp.patch; - maybeFixPulseAudioBuild = let post23 = !versionOlder sourceInfo.version "24.0.0.0"; in optional (post23 && cfg.pulseaudio) (fetchurl { @@ -128,7 +124,6 @@ in stdenv.mkDerivation rec { patches = optional cfg.cups ./cups_allow_deprecated.patch ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch - ++ maybeSeccompPatch ++ maybeFixPulseAudioBuild; postPatch = optionalString cfg.openssl '' diff --git a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch b/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch deleted file mode 100644 index f947d796f186..000000000000 --- a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc -index d4618e5..108f846 100644 ---- a/content/common/sandbox_linux.cc -+++ b/content/common/sandbox_linux.cc -@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) { - // Implement the command line enabling logic for seccomp-legacy. - bool IsSeccompLegacyDesired() { - #if defined(SECCOMP_SANDBOX) --#if defined(NDEBUG) -- // Off by default; allow turning on with a switch. -- return CommandLine::ForCurrentProcess()->HasSwitch( -- switches::kEnableSeccompSandbox); --#else - // On by default; allow turning off with a switch. - return !CommandLine::ForCurrentProcess()->HasSwitch( - switches::kDisableSeccompSandbox); --#endif // NDEBUG - #endif // SECCOMP_SANDBOX - return false; - }