chromium: Update all channels to latest versions.

With this commit, the following new upstream versions are introduced:

stable: 35.0.1916.153 -> 36.0.1985.125
beta:   36.0.1985.84  -> 37.0.2062.44
dev:    37.0.2054.3   -> 38.0.2101.0

All builds were successfully tested on my machine, however in order to
update the beta and dev channels, a few additional modifications were
necessary:

 * Don't update address_input_strings.grdp anymore because this has been
   done/fixed upstream and was relevant in version 37.0.2054.3 _only_.
 * No need to fix references to /usr/bin/gcc in version 38 anymore.
 * Constrain patch for Angle (introduced in 4cbedd7) to version 37 only,
   because it already has been applied upstream in version 38.
 * Drop user namespaces patch for version 31 up until version 35,
   because version 36 is already in stable.
 * Don't try to build bundled Clang and/or even build using Clang.
 * Remove obsolete patchPhase commands that are specific to version 35
   and older.

While testing the dev version 38 I came accross a font rendering issue
which needs to be addressed ASAP (perhaps related to #3187), however the
browser works otherwise.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

4 files changed, 21 insertions, 324 deletions

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 3aac5f9b17a..31125795271 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -79,7 +79,7 @@ let
   };
 
   opusWithCustomModes = libopus.override {
-    withCustomModes = !versionOlder source.version "35.0.0.0";
+    withCustomModes = true;
   };
 
   defaultDependencies = [
@@ -132,19 +132,13 @@ let
       find -iname '*.gyp*' \( -type f -o -type l \) \
         -exec sed -i -e 's|<(DEPTH)|'"$(pwd)"'|g' {} + \
         -exec chmod u+w {} +
-    '' + optionalString (!versionOlder source.version "37.0.0.0") ''
-      python third_party/libaddressinput/chromium/tools/update-strings.py
     '';
 
-    postPatch = let
-      toPatch = if versionOlder source.version "36.0.0.0"
-                then "content/browser/browser_main_loop.cc"
-                else "sandbox/linux/suid/client/setuid_sandbox_client.cc";
-    in ''
+    postPatch = ''
       sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
         sandbox_binary = base::FilePath(getenv("CHROMIUM_SANDBOX_BINARY_PATH"));
-      ' ${toPatch}
-    '' + optionalString (!versionOlder source.version "36.0.0.0") ''
+      ' sandbox/linux/suid/client/setuid_sandbox_client.cc
+
       sed -i -e '/module_path *=.*libexif.so/ {
         s|= [^;]*|= base::FilePath().AppendASCII("${libexif}/lib/libexif.so")|
       }' chrome/utility/media_galleries/image_metadata_extractor.cc
@@ -165,6 +159,7 @@ let
       use_cups = cupsSupport;
       linux_sandbox_chrome_path="${libExecPath}/${packageName}";
       werror = "";
+      clang = false;
 
       # FIXME: In version 37, omnibox.mojom.js doesn't seem to be generated.
       use_mojo = versionOlder source.version "37.0.0.0";
diff --git a/pkgs/applications/networking/browsers/chromium/source/default.nix b/pkgs/applications/networking/browsers/chromium/source/default.nix
index 6a6b299ee51..70b01d071a7 100644
--- a/pkgs/applications/networking/browsers/chromium/source/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/source/default.nix
@@ -22,9 +22,7 @@ stdenv.mkDerivation {
 
   prePatch = "patchShebangs .";
 
-  patches = if (versionOlder version "36.0.0.0")
-            then singleton ./sandbox_userns_31.patch
-            else singleton ./sandbox_userns_36.patch;
+  patches = singleton ./sandbox_userns_36.patch;
 
   postPatch = ''
     sed -i -r \
@@ -32,14 +30,15 @@ stdenv.mkDerivation {
       -e 's|/bin/echo|echo|' \
       -e "/python_arch/s/: *'[^']*'/: '""'/" \
       build/common.gypi chrome/chrome_tests.gypi
+  '' + optionalString (versionOlder version "38.0.0.0") (''
     sed -i -e '/not RunGN/,+1d' -e '/import.*depot/d' build/gyp_chromium
     sed -i -e 's|/usr/bin/gcc|gcc|' \
       third_party/WebKit/Source/build/scripts/scripts.gypi \
       third_party/WebKit/Source/build/scripts/preprocessor.pm
-  '' + optionalString useOpenSSL ''
-    cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
   '' + optionalString (!versionOlder version "37.0.0.0") ''
     patch -p1 -d third_party/angle < "${./angle_build_37.patch}"
+  '') + optionalString useOpenSSL ''
+    cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
   '';
 
   outputs = [ "out" "sandbox" "bundled" "main" ];
diff --git a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch b/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch
deleted file mode 100644
index 490c1a9cebe..00000000000
--- a/pkgs/applications/networking/browsers/chromium/source/sandbox_userns_31.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-commit ff4e8b4af04c58fc4c58ee7ed108aefcdc26a960
-Author: aszlig <aszlig@redmoonstudios.org>
-Date:   Thu May 16 14:17:56 2013 +0200
-
-    zygote: Add support for user namespaces on Linux.
-    
-    The implementation is done by patching the Zygote host to execute the sandbox
-    binary with CLONE_NEWUSER and setting the uid and gid mapping so that the child
-    process is using uid 0 and gid 0 which map to the current user of the parent.
-    Afterwards, the sandbox will continue as if it was called as a setuid binary.
-    
-    In addition, this adds new_user_namespace as an option in process_util in order
-    to set the UID and GID mapping correctly. The reason for this is that just
-    passing CLONE_NEWUSER to clone_flags doesn't help in LaunchProcess(), because
-    without setting the mappings exec*() will clear the process's capability sets.
-    
-    If the kernel doesn't support unprivileged user namespaces and the sandbox
-    binary doesn't have the setuid flag, the Zygote main process will run without a
-    sandbox. This is to mimic the behaviour if no SUID sandbox binary path is set.
-    
-    Signed-off-by: aszlig <aszlig@redmoonstudios.org>
-
-diff --git a/base/process/launch.cc b/base/process/launch.cc
-index 1329a5a..ec28fdf 100644
---- a/base/process/launch.cc
-+++ b/base/process/launch.cc
-@@ -24,6 +24,7 @@ LaunchOptions::LaunchOptions()
-       new_process_group(false)
- #if defined(OS_LINUX)
-       , clone_flags(0)
-+      , new_user_namespace(false)
- #endif  // OS_LINUX
- #if defined(OS_CHROMEOS)
-       , ctrl_terminal_fd(-1)
-diff --git a/base/process/launch.h b/base/process/launch.h
-index ac2df5e..34a3851 100644
---- a/base/process/launch.h
-+++ b/base/process/launch.h
-@@ -100,6 +100,9 @@ struct BASE_EXPORT LaunchOptions {
- #if defined(OS_LINUX)
-   // If non-zero, start the process using clone(), using flags as provided.
-   int clone_flags;
-+
-+  // If true, start the process in a new user namespace.
-+  bool new_user_namespace;
- #endif  // defined(OS_LINUX)
- 
- #if defined(OS_CHROMEOS)
-diff --git a/base/process/launch_posix.cc b/base/process/launch_posix.cc
-index de6286d..9333494 100644
---- a/base/process/launch_posix.cc
-+++ b/base/process/launch_posix.cc
-@@ -37,6 +37,13 @@
- #include "base/threading/platform_thread.h"
- #include "base/threading/thread_restrictions.h"
- 
-+#if defined(OS_LINUX)
-+#include <sched.h>
-+#if !defined(CLONE_NEWUSER)
-+#define CLONE_NEWUSER 0x10000000
-+#endif
-+#endif
-+
- #if defined(OS_CHROMEOS)
- #include <sys/ioctl.h>
- #endif
-@@ -294,13 +301,23 @@ bool LaunchProcess(const std::vector<std::string>& argv,
- 
-   pid_t pid;
- #if defined(OS_LINUX)
--  if (options.clone_flags) {
-+  int map_pipe_fd[2];
-+  int flags = options.clone_flags;
-+
-+  if (options.new_user_namespace) {
-+    flags |= CLONE_NEWUSER;
-+    if (pipe(map_pipe_fd) < 0) {
-+      DPLOG(ERROR) << "user namespace pipe";
-+      return false;
-+    }
-+  }
-+
-+  if (options.clone_flags || options.new_user_namespace) {
-     // Signal handling in this function assumes the creation of a new
-     // process, so we check that a thread is not being created by mistake
-     // and that signal handling follows the process-creation rules.
--    RAW_CHECK(
--        !(options.clone_flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
--    pid = syscall(__NR_clone, options.clone_flags, 0, 0, 0);
-+    RAW_CHECK(!(flags & (CLONE_SIGHAND | CLONE_THREAD | CLONE_VM)));
-+    pid = syscall(__NR_clone, flags, 0, 0, 0);
-   } else
- #endif
-   {
-@@ -318,6 +335,21 @@ bool LaunchProcess(const std::vector<std::string>& argv,
-   } else if (pid == 0) {
-     // Child process
- 
-+#if defined(OS_LINUX)
-+    if (options.new_user_namespace) {
-+      // Close the write end of the pipe so we get an EOF when the parent closes
-+      // the FD. This is to avoid race conditions when the UID/GID mappings are
-+      // written _after_ execvp().
-+      close(map_pipe_fd[1]);
-+
-+      char dummy;
-+      if (HANDLE_EINTR(read(map_pipe_fd[0], &dummy, 1)) != 0) {
-+        RAW_LOG(ERROR, "Unexpected input in uid/gid mapping pipe.");
-+        _exit(127);
-+      }
-+    }
-+#endif
-+
-     // DANGER: fork() rule: in the child, if you don't end up doing exec*(),
-     // you call _exit() instead of exit(). This is because _exit() does not
-     // call any previously-registered (in the parent) exit handlers, which
-@@ -433,6 +465,40 @@ bool LaunchProcess(const std::vector<std::string>& argv,
-     _exit(127);
-   } else {
-     // Parent process
-+#if defined(OS_LINUX)
-+    if (options.new_user_namespace) {
-+      // We need to write UID/GID mapping here to map the current user outside
-+      // the namespace to the root user inside the namespace in order to
-+      // correctly "fool" the child process.
-+      char buf[256];
-+      int map_fd, map_len;
-+
-+      snprintf(buf, sizeof(buf), "/proc/%d/uid_map", pid);
-+      map_fd = open(buf, O_RDWR);
-+      DPCHECK(map_fd >= 0);
-+      snprintf(buf, sizeof(buf), "0 %d 1", geteuid());
-+      map_len = strlen(buf);
-+      if (write(map_fd, buf, map_len) != map_len) {
-+        RAW_LOG(WARNING, "Can't write to uid_map.");
-+      }
-+      close(map_fd);
-+
-+      snprintf(buf, sizeof(buf), "/proc/%d/gid_map", pid);
-+      map_fd = open(buf, O_RDWR);
-+      DPCHECK(map_fd >= 0);
-+      snprintf(buf, sizeof(buf), "0 %d 1", getegid());
-+      map_len = strlen(buf);
-+      if (write(map_fd, buf, map_len) != map_len) {
-+        RAW_LOG(WARNING, "Can't write to gid_map.");
-+      }
-+      close(map_fd);
-+
-+      // Close the pipe on the parent, so the child can continue doing the
-+      // execvp() call.
-+      close(map_pipe_fd[1]);
-+    }
-+#endif
-+
-     if (options.wait) {
-       // While this isn't strictly disk IO, waiting for another process to
-       // finish is the sort of thing ThreadRestrictions is trying to prevent.
-diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
-index fea43b5..95cbe07 100644
---- a/content/browser/zygote_host/zygote_host_impl_linux.cc
-+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
-@@ -121,25 +121,31 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
- 
-   sandbox_binary_ = sandbox_cmd.c_str();
- 
--  // A non empty sandbox_cmd means we want a SUID sandbox.
--  using_suid_sandbox_ = !sandbox_cmd.empty();
-+  bool userns_sandbox = false;
-+  const std::vector<std::string> cmd_line_unwrapped(cmd_line.argv());
- 
--  if (using_suid_sandbox_) {
-+  if (!sandbox_cmd.empty()) {
-     struct stat st;
-     if (stat(sandbox_binary_.c_str(), &st) != 0) {
-       LOG(FATAL) << "The SUID sandbox helper binary is missing: "
-                  << sandbox_binary_ << " Aborting now.";
-     }
- 
--    if (access(sandbox_binary_.c_str(), X_OK) == 0 &&
--        (st.st_uid == 0) &&
--        (st.st_mode & S_ISUID) &&
--        (st.st_mode & S_IXOTH)) {
-+    if (access(sandbox_binary_.c_str(), X_OK) == 0) {
-+      using_suid_sandbox_ = true;
-+
-       cmd_line.PrependWrapper(sandbox_binary_);
- 
-       scoped_ptr<sandbox::SetuidSandboxClient>
-           sandbox_client(sandbox::SetuidSandboxClient::Create());
-       sandbox_client->SetupLaunchEnvironment();
-+
-+      if (!((st.st_uid == 0) &&
-+            (st.st_mode & S_ISUID) &&
-+            (st.st_mode & S_IXOTH))) {
-+        userns_sandbox = true;
-+        sandbox_client->SetNoSuid();
-+      }
-     } else {
-       LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
-                     "configured correctly. Rather than run without sandboxing "
-@@ -163,7 +169,19 @@ void ZygoteHostImpl::Init(const std::string& sandbox_cmd) {
-   base::ProcessHandle process = -1;
-   base::LaunchOptions options;
-   options.fds_to_remap = &fds_to_map;
-+  if (userns_sandbox)
-+    options.new_user_namespace = true;
-   base::LaunchProcess(cmd_line.argv(), options, &process);
-+
-+  if (process == -1 && userns_sandbox) {
-+    LOG(ERROR) << "User namespace sandbox failed to start, running without "
-+               << "sandbox! You need at least kernel 3.8.0 with CONFIG_USER_NS "
-+               << "enabled in order to use the sandbox without setuid bit.";
-+    using_suid_sandbox_ = false;
-+    options.new_user_namespace = false;
-+    base::LaunchProcess(cmd_line_unwrapped, options, &process);
-+  }
-+
-   CHECK(process != -1) << "Failed to launch zygote process";
- 
-   if (using_suid_sandbox_) {
-diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
-index 567b305..1089233 100644
---- a/content/zygote/zygote_main_linux.cc
-+++ b/content/zygote/zygote_main_linux.cc
-@@ -426,6 +426,13 @@ static bool EnterSuidSandbox(LinuxSandbox* linux_sandbox,
-       *has_started_new_init = true;
-     }
- 
-+    // Don't set non-dumpable, as it causes trouble when the host tries to find
-+    // the zygote process (XXX: Not quite sure why this happens with user
-+    // namespaces). Fortunately, we also have the seccomp filter sandbox which
-+    // should disallow the use of ptrace.
-+    if (setuid_sandbox->IsNoSuid())
-+      return true;
-+
- #if !defined(OS_OPENBSD)
-     // Previously, we required that the binary be non-readable. This causes the
-     // kernel to mark the process as non-dumpable at startup. The thinking was
-diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc
-index 34231d4..36e3201 100644
---- a/sandbox/linux/suid/client/setuid_sandbox_client.cc
-+++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc
-@@ -166,6 +166,10 @@ bool SetuidSandboxClient::IsInNewNETNamespace() const {
-   return env_->HasVar(kSandboxNETNSEnvironmentVarName);
- }
- 
-+bool SetuidSandboxClient::IsNoSuid() const {
-+  return env_->HasVar(kSandboxNoSuidVarName);
-+}
-+
- bool SetuidSandboxClient::IsSandboxed() const {
-   return sandboxed_;
- }
-@@ -175,5 +179,9 @@ void SetuidSandboxClient::SetupLaunchEnvironment() {
-   SetSandboxAPIEnvironmentVariable(env_);
- }
- 
-+void SetuidSandboxClient::SetNoSuid() {
-+  env_->SetVar(kSandboxNoSuidVarName, "1");
-+}
-+
- }  // namespace sandbox
- 
-diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
-index a9f6536..2e8113a 100644
---- a/sandbox/linux/suid/client/setuid_sandbox_client.h
-+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
-@@ -39,6 +39,8 @@ class SetuidSandboxClient {
-   bool IsInNewPIDNamespace() const;
-   // Did the setuid helper create a new network namespace ?
-   bool IsInNewNETNamespace() const;
-+  // Is sandboxed without SUID binary ?
-+  bool IsNoSuid() const;
-   // Are we done and fully sandboxed ?
-   bool IsSandboxed() const;
- 
-@@ -46,6 +48,8 @@ class SetuidSandboxClient {
-   // helper.
-   void SetupLaunchEnvironment();
- 
-+  void SetNoSuid();
-+
-  private:
-   // Holds the environment. Will never be NULL.
-   base::Environment* env_;
-diff --git a/sandbox/linux/suid/common/sandbox.h b/sandbox/linux/suid/common/sandbox.h
-index aad4ff8..bd710d5 100644
---- a/sandbox/linux/suid/common/sandbox.h
-+++ b/sandbox/linux/suid/common/sandbox.h
-@@ -18,6 +18,7 @@ static const char kAdjustLowMemMarginSwitch[] = "--adjust-low-mem";
- 
- static const char kSandboxDescriptorEnvironmentVarName[] = "SBX_D";
- static const char kSandboxHelperPidEnvironmentVarName[] = "SBX_HELPER_PID";
-+static const char kSandboxNoSuidVarName[] = "SBX_NO_SUID";
- 
- static const long kSUIDSandboxApiNumber = 1;
- static const char kSandboxEnvironmentApiRequest[] = "SBX_CHROME_API_RQ";
diff --git a/pkgs/applications/networking/browsers/chromium/source/sources.nix b/pkgs/applications/networking/browsers/chromium/source/sources.nix
index 965328d43a4..294577aa559 100644
--- a/pkgs/applications/networking/browsers/chromium/source/sources.nix
+++ b/pkgs/applications/networking/browsers/chromium/source/sources.nix
@@ -1,21 +1,21 @@
 # This file is autogenerated from update.sh in the parent directory.
 {
   dev = {
-    version = "37.0.2054.3";
-    sha256 = "1sly1fb9wh10m36crikahn7wgsq7j090jaga4l8zk4kihzprcnj2";
-    sha256bin32 = "0242ypzgzskkmsw3iyirxzlm1gbng94lv723ffcr018grq9yg4gs";
-    sha256bin64 = "17kzb7k0vn96wa6a4xfx05885li1qjg8bp6y3ngs2i0wws9ypfd9";
+    version = "38.0.2101.0";
+    sha256 = "01lmnw6kf7qahifybpcf7275ilbsdz1mg10lckh9jhbqk4mxy4c4";
+    sha256bin32 = "06grj03bvkgfmr5gfhv5gqn9vrz0r37svp5wr0l7d2iav7vk7g9g";
+    sha256bin64 = "0d856xkjpx1pcwrkfqa40kwy3s1nvc2qksvrvvdfb84fg3gc4j42";
   };
   beta = {
-    version = "36.0.1985.84";
-    sha256 = "02hhqx5m4hxmnf8l3a2ah9k39bpz35sll6gv89vz27vdgb6mza0j";
-    sha256bin32 = "1jjxzknyiw6d5p0bcb7c9d0siffg55wmm34lq1phz1jlqq6hz6zy";
-    sha256bin64 = "1jr9a386arfmd8rskns9bmlczzr3xzcw9ykv7xf23iz86qqp723r";
+    version = "37.0.2062.44";
+    sha256 = "0pvwdrwygn236bg8wdambwkw9iglq0a3lm8sr7k3q02ng5v0l111";
+    sha256bin32 = "1j326kgng245b1lf5dlg0ipwbrm7miiz5byhisqls30v1q3njka9";
+    sha256bin64 = "1w86salg04z42c518v6nn40003zhabk33plrz5zh9nfjdxn6nxig";
   };
   stable = {
-    version = "35.0.1916.153";
-    sha256 = "03p7wmlvbrgd8m94344z4azkhrffwrr5c76dm8c4jcxs0x1yn318";
-    sha256bin32 = "0xm34xwdai8ns6bkq5dshh4izls70rwgvya23md4vxq6iv78sykn";
-    sha256bin64 = "1x2cm1i8v8d69856b42anms33clv63adzpqy58in6i9vba13swif";
+    version = "36.0.1985.125";
+    sha256 = "08shkm89qzzdlrjg0rg5qiszbk6ziginsicyxqyk353y76jx10hp";
+    sha256bin32 = "1ahazz56k127xncgl1lzwsmydbh0vcxq0hzrb9cm9zzdkzqjzg03";
+    sha256bin64 = "0qx5316cd8l9g8w389aqi5m3csmr5s8hs7sivlk02mbs0jzi8ppc";
   };
 }