chromium: Split off sandbox from the browser.

Now, we no longer tie the sandbox directly to the browser derivation but wrap everything together into one derivation at the entry point at default.nix. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2024-09-29 16:40:18 +02:00 · 2014-03-22 17:05:14 +01:00 · 2014-03-22 17:05:14 +01:00 · 5021717099
parent c86d376c82
commit 5021717099
3 changed files with 28 additions and 28 deletions
--- a/pkgs/applications/networking/browsers/chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/chromium/browser.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, makeWrapper, ninja, which
+{ stdenv, fetchurl, ninja, which

 # default dependencies
 , bzip2, flac, speex, icu, libopus
@ -81,26 +81,19 @@ let
    libusb1 libexif
  ];

-  sandbox = import ./sandbox.nix {
-    inherit stdenv;
-    src = source.sandbox;
-    binary = "${packageName}_sandbox";
-  };
-
  # build paths and release info
  packageName = "chromium";
  buildType = "Release";
  buildPath = "out/${buildType}";
  libExecPath = "$out/libexec/${packageName}";
-  sandboxPath = "${sandbox}/bin/${packageName}_sandbox";

 in stdenv.mkDerivation rec {
-  name = "${packageName}-${source.version}";
+  name = "${packageName}-browser-${source.version}";
  inherit packageName;
  src = source;

  buildInputs = defaultDependencies ++ [
-    which makeWrapper
+    which
    python perl pkgconfig
    nspr udev
    (if useOpenSSL then openssl else nss)
@ -228,8 +221,7 @@ in stdenv.mkDerivation rec {

  postPatch = ''
    sed -i -e '/base::FilePath exe_dir/,/^ *} *$/c \
-      sandbox_binary = \
-        base::FilePath("'"${sandboxPath}"'");
+      sandbox_binary = base::FilePath(getenv("CHROMIUM_SANDBOX_BINARY_PATH"));
    ' content/browser/browser_main_loop.cc
  '';

@ -245,7 +237,6 @@ in stdenv.mkDerivation rec {
    use_openssl = useOpenSSL;
    selinux = enableSELinux;
    use_cups = cupsSupport;
-    linux_sandbox_path="${sandboxPath}";
    linux_sandbox_chrome_path="${libExecPath}/${packageName}";
    werror = "";

@ -281,7 +272,7 @@ in stdenv.mkDerivation rec {
    LINK_host="${CXX}"             \
      "${ninja}/bin/ninja" -C "${buildPath}"  \
        -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-        chrome ${optionalString (!enableSELinux) "chrome_sandbox"}
+        chrome
  '';

  installPhase = ''
@ -295,10 +286,6 @@ in stdenv.mkDerivation rec {

    cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}"

-    mkdir -vp "$out/bin"
-    makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}" \
-      --add-flags "${plugins.flagsEnabled}"
-
    mkdir -vp "$out/share/man/man1"
    cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"

@ -313,10 +300,6 @@ in stdenv.mkDerivation rec {
    done
  '';

-  passthru = {
-    inherit sandbox;
-  };
-
  meta = {
    description = "An open source web browser from Google";
    homepage = http://www.chromium.org/;
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -1,4 +1,4 @@
-{ newScope
+{ newScope, stdenv, makeWrapper

 # package customization
 , channel ? "stable"
@ -30,9 +30,26 @@ let
              pulseSupport;
    };

+    sandbox = callPackage ./sandbox.nix { };
+
    plugins = callPackage ./plugins.nix {
      inherit enablePepperFlash enablePepperPDF;
    };
  };

-in chromium.browser
+in stdenv.mkDerivation {
+  name = "chromium-${channel}-${chromium.source.version}";
+
+  buildInputs = [ makeWrapper ];
+
+  buildCommand = let
+    browserBinary = "${chromium.browser}/libexec/chromium/chromium";
+    sandboxBinary = "${chromium.sandbox}/bin/chromium-sandbox";
+  in ''
+    ensureDir "$out/bin"
+    ln -s "${chromium.browser}/share" "$out/share"
+    makeWrapper "${browserBinary}" "$out/bin/chromium" \
+      --set CHROMIUM_SANDBOX_BINARY_PATH "${sandboxBinary}" \
+      --add-flags "${chromium.plugins.flagsEnabled}"
+  '';
+}
--- a/pkgs/applications/networking/browsers/chromium/sandbox.nix
+++ b/pkgs/applications/networking/browsers/chromium/sandbox.nix
@ -1,8 +1,8 @@
-{ stdenv, src, binary }:
+{ stdenv, source }:

 stdenv.mkDerivation {
-  name = "chromium-sandbox-${src.version}";
-  inherit src;
+  name = "chromium-sandbox-${source.version}";
+  src = source.sandbox;

  patchPhase = ''
    sed -i -e '/#include.*base_export/c \
@ -15,6 +15,6 @@ stdenv.mkDerivation {
  '';

  installPhase = ''
-    install -svD sandbox "$out/bin/${binary}"
+    install -svD sandbox "$out/bin/chromium-sandbox"
  '';
 }