diff options
author | Peter Simons <simons@cryp.to> | 2014-08-04 16:51:47 +0200 |
---|---|---|
committer | Peter Simons <simons@cryp.to> | 2014-08-04 16:51:47 +0200 |
commit | 2d326e5032fda2210ff84118a526195f0a68bd24 (patch) | |
tree | d3af676b9948c865f1e942e1db51862da5e19ad5 /pkgs/applications/networking/browsers/chromium/source | |
parent | 9253a95f6b3f65ecc701ebb10620acfb6d251f17 (diff) | |
parent | b35770818d70924b2b71ae41ead270fe0be8c826 (diff) | |
download | nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar.gz nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar.bz2 nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar.lz nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar.xz nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.tar.zst nixpkgs-2d326e5032fda2210ff84118a526195f0a68bd24.zip |
Merge remote-tracking branch 'origin/master' into staging.
Conflicts: pkgs/desktops/e18/enlightenment.nix
Diffstat (limited to 'pkgs/applications/networking/browsers/chromium/source')
4 files changed, 14 insertions, 661 deletions
diff --git a/pkgs/applications/networking/browsers/chromium/source/angle_build_37.patch b/pkgs/applications/networking/browsers/chromium/source/angle_build_37.patch deleted file mode 100644 index a3e8c91174a..00000000000 --- a/pkgs/applications/networking/browsers/chromium/source/angle_build_37.patch +++ /dev/null @@ -1,347 +0,0 @@ -commit 9c4b24a52e0ff478aa170d33e26c44acd8c68be3 -Author: Jamie Madill <jmadill@chromium.org> -Date: Thu Jun 12 13:41:17 2014 -0400 - - Use commit_id.py on Windows, and handle missing git. - - This allows us to delete the Windows batch file. - - Changes the commit_id script to take the working directory so that it - can be called from a different working directory than the angle - repository is in. - - Renames the generated commit header to angle_commit.h. This is being - written to the shared generated code directory for the entire build, - and "commit.h" is insufficiently unique. - - BUG=angle:669 - - Change-Id: I35e80411a7e8ba1e02ce3f6a4fc54ed4dbc918f3 - Reviewed-on: https://chromium-review.googlesource.com/202048 - Reviewed-by: Geoff Lang <geofflang@chromium.org> - Tested-by: Jamie Madill <jmadill@chromium.org> - [Removed and/or fixed up Windows specific hunks] - Signed-off-by: aszlig <aszlig@redmoonstudios.org> - -diff --git a/generate_projects b/generate_projects -index 6743254..8175277 100644 ---- a/generate_projects -+++ b/generate_projects -@@ -34,6 +34,7 @@ if __name__ == '__main__': - gyp_cmd += ' -D angle_build_tests=' + ('1' if build_tests else '0') - gyp_cmd += ' -D angle_build_samples=' + ('1' if build_samples else '0') - gyp_cmd += ' -D release_symbols=' + ('true' if release_symbols else 'false') -+ gyp_cmd += ' -D angle_use_commit_id=0' - gyp_cmd += ' ' + os.path.join(script_dir, 'all.gyp') - - print 'Generating projects to ' + generation_dir + ' from gyp files...' -diff --git a/projects/build/all.sln b/projects/build/all.sln -index 1aa0796..5862edd 100644 ---- a/projects/build/all.sln -+++ b/projects/build/all.sln -@@ -3,11 +3,11 @@ Microsoft Visual Studio Solution File, Format Version 11.00 - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "All", "All.vcxproj", "{D048EF6F-5312-AF41-8D8A-DB22CD8634E6}" - ProjectSection(ProjectDependencies) = postProject - {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} -- {3B7F5656-177F-52EE-26B3-D6A75368D0A9} = {3B7F5656-177F-52EE-26B3-D6A75368D0A9} - {C7BAF548-697D-2DCB-9DF3-9D1506A7B444} = {C7BAF548-697D-2DCB-9DF3-9D1506A7B444} - {276D20F5-2943-414C-0FF6-21F4723A5CF6} = {276D20F5-2943-414C-0FF6-21F4723A5CF6} - {C15697F6-5057-016E-BD29-422971875679} = {C15697F6-5057-016E-BD29-422971875679} - {19386E01-D811-FA3B-9F1E-122BB0C0E9F5} = {19386E01-D811-FA3B-9F1E-122BB0C0E9F5} -+ {3B7F5656-177F-52EE-26B3-D6A75368D0A9} = {3B7F5656-177F-52EE-26B3-D6A75368D0A9} - {22DC02D5-1598-943C-13E1-82185B469F81} = {22DC02D5-1598-943C-13E1-82185B469F81} - {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} = {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} - {FBAEE4F6-562A-588F-01F9-72DCABB3B061} = {FBAEE4F6-562A-588F-01F9-72DCABB3B061} -@@ -30,9 +30,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "All", "All.vcxproj", "{D048 - EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "commit_id", "..\src\commit_id.vcxproj", "{3B7F5656-177F-52EE-26B3-D6A75368D0A9}" -- ProjectSection(ProjectDependencies) = postProject -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} -- EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "copy_compiler_dll", "..\src\copy_compiler_dll.vcxproj", "{22DC02D5-1598-943C-13E1-82185B469F81}" - ProjectSection(ProjectDependencies) = postProject -@@ -68,7 +65,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libEGL", "..\src\libEGL.vcx - ProjectSection(ProjectDependencies) = postProject - {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} = {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} - {3B7F5656-177F-52EE-26B3-D6A75368D0A9} = {3B7F5656-177F-52EE-26B3-D6A75368D0A9} -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} - EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libGLESv2", "..\src\libGLESv2.vcxproj", "{7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81}" -diff --git a/projects/samples/samples.sln b/projects/samples/samples.sln -index 53cec34..b927860 100644 ---- a/projects/samples/samples.sln -+++ b/projects/samples/samples.sln -@@ -1,9 +1,6 @@ - Microsoft Visual Studio Solution File, Format Version 11.00 - # Visual C++ Express 2010 - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "commit_id", "..\src\commit_id.vcxproj", "{3B7F5656-177F-52EE-26B3-D6A75368D0A9}" -- ProjectSection(ProjectDependencies) = postProject -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} -- EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "copy_compiler_dll", "..\src\copy_compiler_dll.vcxproj", "{22DC02D5-1598-943C-13E1-82185B469F81}" - ProjectSection(ProjectDependencies) = postProject -@@ -39,7 +36,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libEGL", "..\src\libEGL.vcx - ProjectSection(ProjectDependencies) = postProject - {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} = {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} - {3B7F5656-177F-52EE-26B3-D6A75368D0A9} = {3B7F5656-177F-52EE-26B3-D6A75368D0A9} -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} - EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libGLESv2", "..\src\libGLESv2.vcxproj", "{7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81}" -diff --git a/projects/src/angle.sln b/projects/src/angle.sln -index 0d6ec65..cdf9f53 100644 ---- a/projects/src/angle.sln -+++ b/projects/src/angle.sln -@@ -1,9 +1,6 @@ - Microsoft Visual Studio Solution File, Format Version 11.00 - # Visual C++ Express 2010 - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "commit_id", "commit_id.vcxproj", "{3B7F5656-177F-52EE-26B3-D6A75368D0A9}" -- ProjectSection(ProjectDependencies) = postProject -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} -- EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "copy_compiler_dll", "copy_compiler_dll.vcxproj", "{22DC02D5-1598-943C-13E1-82185B469F81}" - ProjectSection(ProjectDependencies) = postProject -@@ -16,7 +13,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libEGL", "libEGL.vcxproj", - ProjectSection(ProjectDependencies) = postProject - {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} = {7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81} - {3B7F5656-177F-52EE-26B3-D6A75368D0A9} = {3B7F5656-177F-52EE-26B3-D6A75368D0A9} -- {63FB0B97-D1D9-5158-8E85-7F5B1E403817} = {63FB0B97-D1D9-5158-8E85-7F5B1E403817} - EndProjectSection - EndProject - Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libGLESv2", "libGLESv2.vcxproj", "{7FBD6F69-B9A4-69F1-A12B-8DACB3F8CD81}" -diff --git a/src/angle.gypi b/src/angle.gypi -index 5339369..ef16749 100644 ---- a/src/angle.gypi -+++ b/src/angle.gypi -@@ -7,6 +7,12 @@ - { - 'angle_code': 1, - 'angle_post_build_script%': 0, -+ 'angle_gen_path': '<(SHARED_INTERMEDIATE_DIR)/angle', -+ 'angle_id_script_base': 'commit_id.py', -+ 'angle_id_script': '<(angle_gen_path)/<(angle_id_script_base)', -+ 'angle_id_header_base': 'commit.h', -+ 'angle_id_header': '<(angle_gen_path)/id/<(angle_id_header_base)', -+ 'angle_use_commit_id%': '<!(python <(angle_id_script_base) check ..)', - }, - 'includes': - [ -@@ -23,57 +29,71 @@ - 'copies': - [ - { -- 'destination': '<(SHARED_INTERMEDIATE_DIR)', -- 'files': [ 'commit_id.bat', 'copy_compiler_dll.bat', 'commit_id.py' ], -+ 'destination': '<(angle_gen_path)', -+ 'files': [ 'copy_compiler_dll.bat', '<(angle_id_script_base)' ], - }, - ], - }, -- -+ ], -+ 'conditions': -+ [ -+ ['angle_use_commit_id!=0', - { -- 'target_name': 'commit_id', -- 'type': 'none', -- 'includes': [ '../build/common_defines.gypi', ], -- 'dependencies': [ 'copy_scripts', ], -- 'conditions': -+ 'targets': - [ -- ['OS=="win"', - { -+ 'target_name': 'commit_id', -+ 'type': 'none', -+ 'includes': [ '../build/common_defines.gypi', ], -+ 'dependencies': [ 'copy_scripts', ], - 'actions': - [ - { -- 'action_name': 'Generate Commit ID Header', -- 'message': 'Generating commit ID header...', -+ 'action_name': 'Generate ANGLE Commit ID Header', -+ 'message': 'Generating ANGLE Commit ID', -+ # reference the git index as an input, so we rebuild on changes to the index -+ 'inputs': [ '<(angle_id_script)', '<(angle_path)/.git/index' ], -+ 'outputs': [ '<(angle_id_header)' ], - 'msvs_cygwin_shell': 0, -- 'inputs': [ '<(SHARED_INTERMEDIATE_DIR)/commit_id.bat', '<(angle_path)/.git/index' ], -- 'outputs': [ '<(SHARED_INTERMEDIATE_DIR)/commit.h' ], -- 'action': [ '<(SHARED_INTERMEDIATE_DIR)/commit_id.bat', '<(SHARED_INTERMEDIATE_DIR)' ], -+ 'action': -+ [ -+ 'python', '<(angle_id_script)', 'gen', '<(angle_path)', '<(angle_id_header)' -+ ], - }, - ], -- }, -- { # OS != win -- 'actions': -+ 'direct_dependent_settings': -+ { -+ 'include_dirs': -+ [ -+ '<(angle_gen_path)', -+ ], -+ }, -+ } -+ ] -+ }, -+ { # angle_use_commit_id==0 -+ 'targets': -+ [ -+ { -+ 'target_name': 'commit_id', -+ 'type': 'none', -+ 'copies': - [ - { -- 'action_name': 'Generate Commit ID Header', -- 'message': 'Generating commit ID header...', -- 'inputs': [ '<(SHARED_INTERMEDIATE_DIR)/commit_id.py', '<(angle_path)/.git/index' ], -- 'outputs': [ '<(SHARED_INTERMEDIATE_DIR)/commit.h' ], -- 'action': [ 'python', '<(SHARED_INTERMEDIATE_DIR)/commit_id.py', '<(SHARED_INTERMEDIATE_DIR)/commit.h' ], -- }, -+ 'destination': '<(angle_gen_path)/id', -+ 'files': [ '<(angle_id_header_base)' ] -+ } - ], -- }], -- ], -- 'direct_dependent_settings': -- { -- 'include_dirs': -- [ -- '<(SHARED_INTERMEDIATE_DIR)', -- ], -- }, -- }, -- ], -- 'conditions': -- [ -+ 'direct_dependent_settings': -+ { -+ 'include_dirs': -+ [ -+ '<(angle_gen_path)', -+ ], -+ }, -+ } -+ ] -+ }], - ['OS=="win"', - { - 'targets': -@@ -93,7 +113,7 @@ - 'outputs': [ '<(PRODUCT_DIR)/D3DCompiler_46.dll' ], - 'action': - [ -- "<(SHARED_INTERMEDIATE_DIR)/copy_compiler_dll.bat", -+ "<(angle_gen_path)/copy_compiler_dll.bat", - "$(PlatformName)", - "<(windows_sdk_path)", - "<(PRODUCT_DIR)" -diff --git a/src/commit.h b/src/commit.h -new file mode 100644 -index 0000000..4c89a65 ---- /dev/null -+++ b/src/commit.h -@@ -0,0 +1,14 @@ -+// -+// Copyright (c) 2014 The ANGLE Project Authors. All rights reserved. -+// Use of this source code is governed by a BSD-style license that can be -+// found in the LICENSE file. -+// -+// commit.h: -+// This is a default commit hash header, when git is not available. -+// -+ -+#define ANGLE_COMMIT_HASH "unknown hash" -+#define ANGLE_COMMIT_HASH_SIZE 12 -+#define ANGLE_COMMIT_DATE "unknown date" -+ -+#define ANGLE_DISABLE_PROGRAM_BINARY_LOAD -diff --git a/src/commit_id.py b/src/commit_id.py -index 6339cca..7f711e7 100644 ---- a/src/commit_id.py -+++ b/src/commit_id.py -@@ -1,19 +1,35 @@ - import subprocess as sp - import sys -+import os - --def grab_output(*command): -- return sp.Popen(command, stdout=sp.PIPE).communicate()[0].strip() -+# Usage: commit_id.py check <angle_dir> (checks if git is present) -+# Usage: commit_id.py gen <angle_dir> <file_to_write> (generates commit id) - -+def grab_output(command, cwd): -+ return sp.Popen(command, stdout=sp.PIPE, shell=True, cwd=cwd).communicate()[0].strip() -+ -+operation = sys.argv[1] -+cwd = sys.argv[2] -+ -+if operation == 'check': -+ index_path = os.path.join(cwd, '.git', 'index') -+ if os.path.exists(index_path): -+ print("1") -+ else: -+ print("0") -+ sys.exit(0) -+ -+output_file = sys.argv[3] - commit_id_size = 12 - - try: -- commit_id = grab_output('git', 'rev-parse', '--short=%d' % commit_id_size, 'HEAD') -- commit_date = grab_output('git', 'show', '-s', '--format=%ci', 'HEAD') -+ commit_id = grab_output('git rev-parse --short=%d HEAD' % commit_id_size, cwd) -+ commit_date = grab_output('git show -s --format=%ci HEAD', cwd) - except: - commit_id = 'invalid-hash' - commit_date = 'invalid-date' - --hfile = open(sys.argv[1], 'w') -+hfile = open(output_file, 'w') - - hfile.write('#define ANGLE_COMMIT_HASH "%s"\n' % commit_id) - hfile.write('#define ANGLE_COMMIT_HASH_SIZE %d\n' % commit_id_size) -diff --git a/src/common/version.h b/src/common/version.h -index b9781d7..d9148d1 100644 ---- a/src/common/version.h -+++ b/src/common/version.h -@@ -1,4 +1,4 @@ --#include "commit.h" -+#include "id/commit.h" - - #define ANGLE_MAJOR_VERSION 2 - #define ANGLE_MINOR_VERSION 1 -diff --git a/src/libGLESv2/ProgramBinary.cpp b/src/libGLESv2/ProgramBinary.cpp -index 8525ffb..e3ffa47 100644 ---- a/src/libGLESv2/ProgramBinary.cpp -+++ b/src/libGLESv2/ProgramBinary.cpp -@@ -1018,6 +1018,9 @@ bool ProgramBinary::linkVaryings(InfoLog &infoLog, FragmentShader *fragmentShade - - bool ProgramBinary::load(InfoLog &infoLog, const void *binary, GLsizei length) - { -+#ifdef ANGLE_DISABLE_PROGRAM_BINARY_LOAD -+ return false; -+#else - BinaryInputStream stream(binary, length); - - int format = stream.readInt<int>(); -@@ -1260,6 +1263,7 @@ bool ProgramBinary::load(InfoLog &infoLog, const void *binary, GLsizei length) - initializeUniformStorage(); - - return true; -+#endif // #ifdef ANGLE_DISABLE_PROGRAM_BINARY_LOAD - } - - bool ProgramBinary::save(void* binary, GLsizei bufSize, GLsizei *length) diff --git a/pkgs/applications/networking/browsers/chromium/source/default.nix b/pkgs/applications/networking/browsers/chromium/source/default.nix index 0d8a4156703..d7ccc412fa4 100644 --- a/pkgs/applications/networking/browsers/chromium/source/default.nix +++ b/pkgs/applications/networking/browsers/chromium/source/default.nix @@ -22,9 +22,7 @@ stdenv.mkDerivation { prePatch = "patchShebangs ."; - patches = if (versionOlder version "36.0.0.0") - then singleton ./sandbox_userns_31.patch - else singleton ./sandbox_userns_36.patch; + patches = singleton ./sandbox_userns_36.patch; postPatch = '' sed -i -r \ @@ -32,14 +30,13 @@ stdenv.mkDerivation { -e 's|/bin/echo|echo|' \ -e "/python_arch/s/: *'[^']*'/: '""'/" \ build/common.gypi chrome/chrome_tests.gypi + '' + optionalString (versionOlder version "38.0.0.0") '' sed -i -e '/not RunGN/,+1d' -e '/import.*depot/d' build/gyp_chromium sed -i -e 's|/usr/bin/gcc|gcc|' \ third_party/WebKit/Source/build/scripts/scripts.gypi \ third_party/WebKit/Source/build/scripts/preprocessor.pm '' + optionalString useOpenSSL '' cat $opensslPatches | patch -p1 -d third_party/openssl/openssl - '' + optionalString (!versionOlder version "37.0.0.0") '' - patch -p1 -d third_party/angle < "${./angle_build_37.patch}" ''; outputs = [ "out" "sandbox" "bundled" "main" ]; diff --git a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch deleted file mode 100644 index 490c1a9cebe..00000000000 --- a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch +++ /dev/null @@ -1,297 +0,0 @@ -commit ff4e8b4af04c58fc4c58ee7ed108aefcdc26a960 -Author: aszlig <aszlig@redmoonstudios.org> -Date: Thu May 16 14:17:56 2013 +0200 - - zygote: Add support for user namespaces on Linux. - - The implementation is done by patching the Zygote host to execute the sandbox - binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child - process is using uid 0 and gid 0 which map to the current user of the parent. - Afterwards, the sandbox will continue as if it was called as a setuid binary. - - In addition, this adds new_user_namespace as an option in process_util in order - to set the UID and GID mapping correctly. The reason for this is that just - passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because - without setting the mappings exec*() will clear the process's capability sets. - - If the kernel doesn't support unprivileged user namespaces and the sandbox - binary doesn't have the setuid flag, the Zygote main process will run without a - sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set. - - Signed-off-by: aszlig <aszlig@redmoonstudios.org> - -diff --git a/base/process/launch.cc b/base/process/launch.cc -index 1329a5a..ec28fdf 100644 ---- a/base/process/launch.cc -+++ b/base/process/launch.cc -@@ -24,6 +24,7 @@ LaunchOptions::LaunchOptions() - new_process_group(false) - #if defined(OS_LINUX) - , clone_flags(0) -+ , new_user_namespace(false) - #endif // OS_LINUX - #if defined(OS_CHROMEOS) - , ctrl_terminal_fd(-1) -diff --git a/base/process/launch.h b/base/process/launch.h -index ac2df5e..34a3851 100644 ---- a/base/process/launch.h -+++ b/base/process/launch.h -@@ -100,6 +100,9 @@ struct BASE_EXPORT LaunchOptions { - #if defined(OS_LINUX) - // If non-zero, start the process using clone(), using flags as provided. - int clone_flags; -+ -+ // If true, start the process in a new user namespace. -+ bool new_user_namespace; - #endif // defined(OS_LINUX) - - #if defined(OS_CHROMEOS) -diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc -index de6286d..9333494 100644 ---- a/base/process/launch_posix.cc -+++ b/base/process/launch_posix.cc -@@ -37,6 +37,13 @@ - #include "base/threading/platform_thread.h" - #include "base/threading/thread_restrictions.h" - -+#if defined(OS_LINUX) -+#include <sched.h> -+#if !defined(CLONE_NEWUSER) -+#define CLONE_NEWUSER 0x10000000 -+#endif -+#endif -+ - #if defined(OS_CHROMEOS) - #include <sys/ioctl.h> - #endif -@@ -294,13 +301,23 @@ bool LaunchProcess(const std::vector<std::string>& argv, - - pid_t pid; - #if defined(OS_LINUX) -- if (options.clone_flags) { -+ int map_pipe_fd[2]; -+ int flags = options.clone_flags; -+ -+ if (options.new_user_namespace) { -+ flags |= CLONE_NEWUSER; -+ if (pipe(map_pipe_fd) < 0) { -+ DPLOG(ERROR) << "user namespace pipe"; -+ return false; -+ } -+ } -+ -+ if (options.clone_flags || options.new_user_namespace) { - // Signal handling in this function assumes the creation of a new - // process, so we check that a thread is not being created by mistake - // and that signal handling follows the process-creation rules. -- RAW_CHECK( -- !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); -- pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0); -+ RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM))); -+ pid = syscall(__NR_clone, flags, 0, 0, 0); - } else - #endif - { -@@ -318,6 +335,21 @@ bool LaunchProcess(const std::vector<std::string>& argv, - } else if (pid == 0) { - // Child process - -+#if defined(OS_LINUX) -+ if (options.new_user_namespace) { -+ // Close the write end of the pipe so we get an EOF when the parent closes -+ // the FD. This is to avoid race conditions when the UID/GID mappings are -+ // written _after_ execvp(). -+ close(map_pipe_fd[1]); -+ -+ char dummy; -+ if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) { -+ RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe."); -+ _exit(127); -+ } -+ } -+#endif -+ - // DANGER: fork() rule: in the child, if you don't end up doing exec*(), - // you call _exit() instead of exit(). This is because _exit() does not - // call any previously-registered (in the parent) exit handlers, which -@@ -433,6 +465,40 @@ bool LaunchProcess(const std::vector<std::string>& argv, - _exit(127); - } else { - // Parent process -+#if defined(OS_LINUX) -+ if (options.new_user_namespace) { -+ // We need to write UID/GID mapping here to map the current user outside -+ // the namespace to the root user inside the namespace in order to -+ // correctly "fool" the child process. -+ char buf[256]; -+ int map_fd, map_len; -+ -+ snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid); -+ map_fd = open(buf, O_RDWR); -+ DPCHECK(map_fd >= 0); -+ snprintf(buf, sizeof(buf), "0 %d 1", geteuid()); -+ map_len = strlen(buf); -+ if (write(map_fd, buf, map_len) != map_len) { -+ RAW_LOG(WARNING, "Can't write to uid_map."); -+ } -+ close(map_fd); -+ -+ snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid); -+ map_fd = open(buf, O_RDWR); -+ DPCHECK(map_fd >= 0); -+ snprintf(buf, sizeof(buf), "0 %d 1", getegid()); -+ map_len = strlen(buf); -+ if (write(map_fd, buf, map_len) != map_len) { -+ RAW_LOG(WARNING, "Can't write to gid_map."); -+ } -+ close(map_fd); -+ -+ // Close the pipe on the parent, so the child can continue doing the -+ // execvp() call. -+ close(map_pipe_fd[1]); -+ } -+#endif -+ - if (options.wait) { - // While this isn't strictly disk IO, waiting for another process to - // finish is the sort of thing ThreadRestrictions is trying to prevent. -diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc -index fea43b5..95cbe07 100644 ---- a/content/browser/zygote_host/zygote_host_impl_linux.cc -+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc -@@ -121,25 +121,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { - - sandbox_binary_ = sandbox_cmd.c_str(); - -- // A non empty sandbox_cmd means we want a SUID sandbox. -- using_suid_sandbox_ = !sandbox_cmd.empty(); -+ bool userns_sandbox = false; -+ const std::vector<std::string> cmd_line_unwrapped(cmd_line.argv()); - -- if (using_suid_sandbox_) { -+ if (!sandbox_cmd.empty()) { - struct stat st; - if (stat(sandbox_binary_.c_str(), &st) != 0) { - LOG(FATAL) << "The SUID sandbox helper binary is missing: " - << sandbox_binary_ << " Aborting now."; - } - -- if (access(sandbox_binary_.c_str(), X_OK) == 0 && -- (st.st_uid == 0) && -- (st.st_mode & S_ISUID) && -- (st.st_mode & S_IXOTH)) { -+ if (access(sandbox_binary_.c_str(), X_OK) == 0) { -+ using_suid_sandbox_ = true; -+ - cmd_line.PrependWrapper(sandbox_binary_); - - scoped_ptr<sandbox::SetuidSandboxClient> - sandbox_client(sandbox::SetuidSandboxClient::Create()); - sandbox_client->SetupLaunchEnvironment(); -+ -+ if (!((st.st_uid == 0) && -+ (st.st_mode & S_ISUID) && -+ (st.st_mode & S_IXOTH))) { -+ userns_sandbox = true; -+ sandbox_client->SetNoSuid(); -+ } - } else { - LOG(FATAL) << "The SUID sandbox helper binary was found, but is not " - "configured correctly. Rather than run without sandboxing " -@@ -163,7 +169,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) { - base::ProcessHandle process = -1; - base::LaunchOptions options; - options.fds_to_remap = &fds_to_map; -+ if (userns_sandbox) -+ options.new_user_namespace = true; - base::LaunchProcess(cmd_line.argv(), options, &process); -+ -+ if (process == -1 && userns_sandbox) { -+ LOG(ERROR) << "User namespace sandbox failed to start, running without " -+ << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS " -+ << "enabled in order to use the sandbox without setuid bit."; -+ using_suid_sandbox_ = false; -+ options.new_user_namespace = false; -+ base::LaunchProcess(cmd_line_unwrapped, options, &process); -+ } -+ - CHECK(process != -1) << "Failed to launch zygote process"; - - if (using_suid_sandbox_) { -diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc -index 567b305..1089233 100644 ---- a/content/zygote/zygote_main_linux.cc -+++ b/content/zygote/zygote_main_linux.cc -@@ -426,6 +426,13 @@ static bool EnterSuidSandbox(LinuxSandbox* linux_sandbox, - *has_started_new_init = true; - } - -+ // Don't set non-dumpable, as it causes trouble when the host tries to find -+ // the zygote process (XXX: Not quite sure why this happens with user -+ // namespaces). Fortunately, we also have the seccomp filter sandbox which -+ // should disallow the use of ptrace. -+ if (setuid_sandbox->IsNoSuid()) -+ return true; -+ - #if !defined(OS_OPENBSD) - // Previously, we required that the binary be non-readable. This causes the - // kernel to mark the process as non-dumpable at startup. The thinking was -diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc -index 34231d4..36e3201 100644 ---- a/sandbox/linux/suid/client/setuid_sandbox_client.cc -+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc -@@ -166,6 +166,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const { - return env_->HasVar(kSandboxNETNSEnvironmentVarName); - } - -+bool SetuidSandboxClient::IsNoSuid() const { -+ return env_->HasVar(kSandboxNoSuidVarName); -+} -+ - bool SetuidSandboxClient::IsSandboxed() const { - return sandboxed_; - } -@@ -175,5 +179,9 @@ void SetuidSandboxClient::SetupLaunchEnvironment() { - SetSandboxAPIEnvironmentVariable(env_); - } - -+void SetuidSandboxClient::SetNoSuid() { -+ env_->SetVar(kSandboxNoSuidVarName, "1"); -+} -+ - } // namespace sandbox - -diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h -index a9f6536..2e8113a 100644 ---- a/sandbox/linux/suid/client/setuid_sandbox_client.h -+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h -@@ -39,6 +39,8 @@ class SetuidSandboxClient { - bool IsInNewPIDNamespace() const; - // Did the setuid helper create a new network namespace ? - bool IsInNewNETNamespace() const; -+ // Is sandboxed without SUID binary ? -+ bool IsNoSuid() const; - // Are we done and fully sandboxed ? - bool IsSandboxed() const; - -@@ -46,6 +48,8 @@ class SetuidSandboxClient { - // helper. - void SetupLaunchEnvironment(); - -+ void SetNoSuid(); -+ - private: - // Holds the environment. Will never be NULL. - base::Environment* env_; -diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h -index aad4ff8..bd710d5 100644 ---- a/sandbox/linux/suid/common/sandbox.h -+++ b/sandbox/linux/suid/common/sandbox.h -@@ -18,6 +18,7 @@ static const char kAdjustLowMemMarginSwitch[] = "--adjust-low-mem"; - - static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D"; - static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID"; -+static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID"; - - static const long kSUIDSandboxApiNumber = 1; - static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ"; diff --git a/pkgs/applications/networking/browsers/chromium/source/sources.nix b/pkgs/applications/networking/browsers/chromium/source/sources.nix index 965328d43a4..4a610827913 100644 --- a/pkgs/applications/networking/browsers/chromium/source/sources.nix +++ b/pkgs/applications/networking/browsers/chromium/source/sources.nix @@ -1,21 +1,21 @@ # This file is autogenerated from update.sh in the parent directory. { dev = { - version = "37.0.2054.3"; - sha256 = "1sly1fb9wh10m36crikahn7wgsq7j090jaga4l8zk4kihzprcnj2"; - sha256bin32 = "0242ypzgzskkmsw3iyirxzlm1gbng94lv723ffcr018grq9yg4gs"; - sha256bin64 = "17kzb7k0vn96wa6a4xfx05885li1qjg8bp6y3ngs2i0wws9ypfd9"; + version = "38.0.2107.3"; + sha256 = "0zb1mj3xgvvs5ijix4b52vj9dlymqkipn8srfzvhwl7g4hx5ss3v"; + sha256bin32 = "12lvvmg3bqacb0qw72bwlxm2m57s39mz2810agngdgzv0hd835cv"; + sha256bin64 = "1vw36s8nlvdsl8pjbh4gny00kvcizn1i2lznzqzysicz2rz7ncrh"; }; beta = { - version = "36.0.1985.84"; - sha256 = "02hhqx5m4hxmnf8l3a2ah9k39bpz35sll6gv89vz27vdgb6mza0j"; - sha256bin32 = "1jjxzknyiw6d5p0bcb7c9d0siffg55wmm34lq1phz1jlqq6hz6zy"; - sha256bin64 = "1jr9a386arfmd8rskns9bmlczzr3xzcw9ykv7xf23iz86qqp723r"; + version = "37.0.2062.58"; + sha256 = "0jck4s6nrizj9wmifsjviin9ifnviihs21fi05wzljyfnbgc4byl"; + sha256bin32 = "1cm1r8bqy66gvdhbrgn9pdc11i72dca96ab5j3m3349p6728jbgk"; + sha256bin64 = "0cpb189pn5jiplldkgy8lfbcwvfik66kjjf6y2i708xa5ggfpwfi"; }; stable = { - version = "35.0.1916.153"; - sha256 = "03p7wmlvbrgd8m94344z4azkhrffwrr5c76dm8c4jcxs0x1yn318"; - sha256bin32 = "0xm34xwdai8ns6bkq5dshh4izls70rwgvya23md4vxq6iv78sykn"; - sha256bin64 = "1x2cm1i8v8d69856b42anms33clv63adzpqy58in6i9vba13swif"; + version = "36.0.1985.125"; + sha256 = "08shkm89qzzdlrjg0rg5qiszbk6ziginsicyxqyk353y76jx10hp"; + sha256bin32 = "1ahazz56k127xncgl1lzwsmydbh0vcxq0hzrb9cm9zzdkzqjzg03"; + sha256bin64 = "0qx5316cd8l9g8w389aqi5m3csmr5s8hs7sivlk02mbs0jzi8ppc"; }; } |