2012-12-03 18:23:49 +01:00
|
|
|
{ stdenv, fetchurl, makeWrapper, which
|
2012-06-19 06:56:50 +02:00
|
|
|
|
|
|
|
# default dependencies
|
2012-06-20 11:19:01 +02:00
|
|
|
, bzip2, flac, speex
|
2012-06-20 10:41:49 +02:00
|
|
|
, libevent, expat, libjpeg
|
|
|
|
, libpng, libxml2, libxslt
|
2012-06-20 11:19:01 +02:00
|
|
|
, xdg_utils, yasm, zlib
|
2012-11-20 04:49:49 +01:00
|
|
|
, libusb1, libexif, pciutils
|
2012-06-19 06:56:50 +02:00
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
, python, perl, pkgconfig
|
2012-06-20 11:19:01 +02:00
|
|
|
, nspr, udev, krb5
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
, utillinux, alsaLib
|
|
|
|
, gcc, bison, gperf
|
2012-06-20 10:41:49 +02:00
|
|
|
, glib, gtk, dbus_glib
|
2012-06-20 06:57:25 +02:00
|
|
|
, libXScrnSaver, libXcursor, mesa
|
2013-04-26 08:04:37 +02:00
|
|
|
, protobuf, speechd, libXdamage
|
2013-02-20 06:39:52 +01:00
|
|
|
|
2013-03-26 21:10:49 +01:00
|
|
|
# dependencies for >= v27
|
|
|
|
, libXtst
|
|
|
|
|
2012-06-20 10:41:49 +02:00
|
|
|
# optional dependencies
|
2012-12-03 18:23:49 +01:00
|
|
|
, libgcrypt ? null # gnomeSupport || cupsSupport
|
2012-12-03 17:55:09 +01:00
|
|
|
|
2012-12-03 18:23:49 +01:00
|
|
|
# package customization
|
2012-12-03 17:55:09 +01:00
|
|
|
, channel ? "stable"
|
2012-12-03 18:23:49 +01:00
|
|
|
, enableSELinux ? false, libselinux ? null
|
|
|
|
, enableNaCl ? false
|
|
|
|
, useOpenSSL ? false, nss ? null, openssl ? null
|
|
|
|
, gnomeSupport ? false, gconf ? null
|
|
|
|
, gnomeKeyringSupport ? false, libgnome_keyring ? null
|
|
|
|
, proprietaryCodecs ? true
|
|
|
|
, cupsSupport ? false
|
|
|
|
, pulseSupport ? false, pulseaudio ? null
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
}:
|
2009-10-30 09:45:58 +01:00
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
with stdenv.lib;
|
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
let
|
2012-12-03 17:55:09 +01:00
|
|
|
sourceInfo = builtins.getAttr channel (import ./sources.nix);
|
2012-06-15 10:23:33 +02:00
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
mkGypFlags =
|
|
|
|
let
|
|
|
|
sanitize = value:
|
|
|
|
if value == true then "1"
|
|
|
|
else if value == false then "0"
|
|
|
|
else "${value}";
|
|
|
|
toFlag = key: value: "-D${key}=${sanitize value}";
|
|
|
|
in attrs: concatStringsSep " " (attrValues (mapAttrs toFlag attrs));
|
2011-09-11 22:48:02 +02:00
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
gypFlagsUseSystemLibs = {
|
|
|
|
use_system_bzip2 = true;
|
|
|
|
use_system_flac = true;
|
|
|
|
use_system_libevent = true;
|
|
|
|
use_system_libexpat = true;
|
2012-10-08 15:05:00 +02:00
|
|
|
use_system_libexif = true;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_libjpeg = true;
|
2013-02-27 21:36:00 +01:00
|
|
|
use_system_libpng = false; # PNG dlopen() version conflict
|
2012-10-08 15:06:15 +02:00
|
|
|
use_system_libusb = true;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_libxml = true;
|
|
|
|
use_system_speex = true;
|
2012-12-03 18:23:49 +01:00
|
|
|
use_system_ssl = useOpenSSL;
|
2012-06-19 06:56:50 +02:00
|
|
|
use_system_stlport = true;
|
|
|
|
use_system_xdg_utils = true;
|
|
|
|
use_system_yasm = true;
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_zlib = false; # http://crbug.com/143623
|
2013-04-26 08:04:37 +02:00
|
|
|
use_system_protobuf = true;
|
2012-06-20 10:41:49 +02:00
|
|
|
|
2012-06-20 11:19:01 +02:00
|
|
|
use_system_harfbuzz = false;
|
|
|
|
use_system_icu = false;
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_libwebp = false; # http://crbug.com/133161
|
2012-06-20 11:19:01 +02:00
|
|
|
use_system_skia = false;
|
2012-10-08 04:54:13 +02:00
|
|
|
use_system_sqlite = false; # http://crbug.com/22208
|
2012-06-20 11:19:01 +02:00
|
|
|
use_system_v8 = false;
|
2012-06-19 06:56:50 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
defaultDependencies = [
|
2012-06-20 11:19:01 +02:00
|
|
|
bzip2 flac speex
|
2012-06-20 10:41:49 +02:00
|
|
|
libevent expat libjpeg
|
|
|
|
libpng libxml2 libxslt
|
2012-06-20 11:19:01 +02:00
|
|
|
xdg_utils yasm zlib
|
2012-10-08 15:06:15 +02:00
|
|
|
libusb1 libexif
|
2012-08-26 03:03:24 +02:00
|
|
|
];
|
2012-06-19 06:56:50 +02:00
|
|
|
|
2013-03-26 21:10:49 +01:00
|
|
|
pre27 = versionOlder sourceInfo.version "27.0.0.0";
|
2013-04-26 08:04:37 +02:00
|
|
|
pre28 = versionOlder sourceInfo.version "28.0.0.0";
|
2013-03-26 21:10:49 +01:00
|
|
|
post26 = !pre27;
|
2013-04-26 08:04:37 +02:00
|
|
|
post27 = !pre28;
|
2012-11-03 12:44:47 +01:00
|
|
|
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
# build paths and release info
|
|
|
|
packageName = "chromium";
|
|
|
|
buildType = "Release";
|
|
|
|
buildPath = "out/${buildType}";
|
|
|
|
libExecPath = "$out/libexec/${packageName}";
|
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
in stdenv.mkDerivation rec {
|
2012-06-19 17:56:44 +02:00
|
|
|
name = "${packageName}-${version}";
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
inherit packageName;
|
2009-10-30 09:45:58 +01:00
|
|
|
|
2012-06-15 10:23:33 +02:00
|
|
|
version = sourceInfo.version;
|
2009-10-30 09:45:58 +01:00
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
src = fetchurl {
|
2012-06-15 10:23:33 +02:00
|
|
|
url = sourceInfo.url;
|
|
|
|
sha256 = sourceInfo.sha256;
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
};
|
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
buildInputs = defaultDependencies ++ [
|
2012-06-19 06:53:00 +02:00
|
|
|
which makeWrapper
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
python perl pkgconfig
|
2012-06-19 06:56:50 +02:00
|
|
|
nspr udev
|
2012-12-03 18:23:49 +01:00
|
|
|
(if useOpenSSL then openssl else nss)
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
utillinux alsaLib
|
|
|
|
gcc bison gperf
|
|
|
|
krb5
|
2012-06-19 20:21:31 +02:00
|
|
|
glib gtk dbus_glib
|
2012-06-20 06:57:25 +02:00
|
|
|
libXScrnSaver libXcursor mesa
|
2013-04-26 08:04:37 +02:00
|
|
|
pciutils protobuf speechd libXdamage
|
2012-12-03 18:23:49 +01:00
|
|
|
] ++ optional gnomeKeyringSupport libgnome_keyring
|
|
|
|
++ optionals gnomeSupport [ gconf libgcrypt ]
|
|
|
|
++ optional enableSELinux libselinux
|
|
|
|
++ optional cupsSupport libgcrypt
|
|
|
|
++ optional pulseSupport pulseaudio
|
2013-03-26 21:10:49 +01:00
|
|
|
++ optional post26 libXtst;
|
2009-10-30 09:45:58 +01:00
|
|
|
|
2012-12-03 18:23:49 +01:00
|
|
|
opensslPatches = optional useOpenSSL openssl.patches;
|
2012-06-19 18:05:38 +02:00
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
prePatch = "patchShebangs .";
|
2009-10-30 09:45:58 +01:00
|
|
|
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
patches = [ ./sandbox_userns.patch ]
|
|
|
|
++ optional cupsSupport ./cups_allow_deprecated.patch
|
2013-03-26 21:10:49 +01:00
|
|
|
++ optional (pulseSupport && pre27) ./pulseaudio_array_bounds.patch
|
|
|
|
++ optional pre27 ./glibc-2.16-use-siginfo_t.patch;
|
2012-06-15 11:07:30 +02:00
|
|
|
|
2013-02-27 21:36:00 +01:00
|
|
|
postPatch = ''
|
|
|
|
sed -i -r -e 's/-f(stack-protector)(-all)?/-fno-\1/' build/common.gypi
|
|
|
|
'' + optionalString useOpenSSL ''
|
2012-06-19 18:05:38 +02:00
|
|
|
cat $opensslPatches | patch -p1 -d third_party/openssl/openssl
|
2013-04-26 08:04:37 +02:00
|
|
|
'' + ''
|
2013-02-20 06:39:52 +01:00
|
|
|
sed -i -e 's|/usr/bin/gcc|gcc|' \
|
2013-04-26 08:04:37 +02:00
|
|
|
third_party/WebKit/Source/${if post27
|
2013-05-13 22:00:09 +02:00
|
|
|
then "core/core.gypi"
|
2013-04-26 08:04:37 +02:00
|
|
|
else "WebCore/WebCore.gyp/WebCore.gyp"}
|
2012-06-19 18:05:38 +02:00
|
|
|
'';
|
|
|
|
|
2012-06-19 06:56:50 +02:00
|
|
|
gypFlags = mkGypFlags (gypFlagsUseSystemLibs // {
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
linux_use_gold_binary = false;
|
|
|
|
linux_use_gold_flags = false;
|
|
|
|
proprietary_codecs = false;
|
2012-12-03 18:23:49 +01:00
|
|
|
use_gnome_keyring = gnomeKeyringSupport;
|
|
|
|
use_gconf = gnomeSupport;
|
|
|
|
use_gio = gnomeSupport;
|
|
|
|
use_pulseaudio = pulseSupport;
|
|
|
|
disable_nacl = !enableNaCl;
|
|
|
|
use_openssl = useOpenSSL;
|
|
|
|
selinux = enableSELinux;
|
|
|
|
use_cups = cupsSupport;
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
linux_sandbox_path="${libExecPath}/${packageName}_sandbox";
|
|
|
|
linux_sandbox_chrome_path="${libExecPath}/${packageName}";
|
2012-12-03 18:23:49 +01:00
|
|
|
} // optionalAttrs proprietaryCodecs {
|
2012-06-20 10:36:26 +02:00
|
|
|
# enable support for the H.264 codec
|
|
|
|
proprietary_codecs = true;
|
|
|
|
ffmpeg_branding = "Chrome";
|
2012-09-19 19:56:56 +02:00
|
|
|
} // optionalAttrs (stdenv.system == "x86_64-linux") {
|
2012-06-15 11:06:07 +02:00
|
|
|
target_arch = "x64";
|
2012-09-19 19:56:56 +02:00
|
|
|
} // optionalAttrs (stdenv.system == "i686-linux") {
|
2012-06-15 11:06:07 +02:00
|
|
|
target_arch = "ia32";
|
|
|
|
});
|
|
|
|
|
2012-06-21 17:27:36 +02:00
|
|
|
enableParallelBuilding = true;
|
|
|
|
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
configurePhase = ''
|
2012-06-15 11:06:07 +02:00
|
|
|
python build/gyp_chromium --depth "$(pwd)" ${gypFlags}
|
chromium: Minimal build (no install) from source.
This only gets chromium to build so far, installation is missing by upstream, so
we need to manually copy the corresponding files. And I guess with nix, we also
need to patch a few paths on installation.
Another issue is that at the moment, a lot of dependencies are used from the
source tree, rather than from the system.
Also, it would be nice to build using LLVM, as it really speeds up compilation a
*LOT* and also has the side effect of resulting in smaller binaries.
Working unit tests would be nice, too. Unfortunately they're quite heavyweight
and take hours to run, so I guess "someday" would be the most appropriate time
to integrate.
Further todo's:
- Allow to disable GConf, GIO and CUPS.
- Option to disable the sandbox (for whatever reason the user might have).
- Integrate gold binutils.
- Pulseaudio support.
- Clearly separate Linux specific stuff.
2012-06-12 10:19:22 +02:00
|
|
|
'';
|
2011-08-12 18:45:17 +02:00
|
|
|
|
2012-06-21 17:27:36 +02:00
|
|
|
makeFlags = let
|
2012-06-15 11:06:07 +02:00
|
|
|
CC = "${gcc}/bin/gcc";
|
|
|
|
CXX = "${gcc}/bin/g++";
|
2012-06-21 17:27:36 +02:00
|
|
|
in [
|
|
|
|
"CC=${CC}"
|
|
|
|
"CXX=${CXX}"
|
|
|
|
"CC.host=${CC}"
|
|
|
|
"CXX.host=${CXX}"
|
|
|
|
"LINK.host=${CXX}"
|
|
|
|
];
|
2012-06-15 11:06:07 +02:00
|
|
|
|
2012-06-21 17:27:36 +02:00
|
|
|
buildFlags = [
|
|
|
|
"BUILDTYPE=${buildType}"
|
|
|
|
"library=shared_library"
|
|
|
|
"chrome"
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
] ++ optional (!enableSELinux) "chrome_sandbox";
|
2009-10-30 09:45:58 +01:00
|
|
|
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
installPhase = ''
|
2013-05-14 02:34:25 +02:00
|
|
|
mkdir -vp "${libExecPath}"
|
|
|
|
cp -v "${buildPath}/"*.pak "${libExecPath}/"
|
|
|
|
cp -vR "${buildPath}/locales" "${buildPath}/resources" "${libExecPath}/"
|
|
|
|
cp -v ${buildPath}/libffmpegsumo.so "${libExecPath}/"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -v "${buildPath}/chrome" "${libExecPath}/${packageName}"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
mkdir -vp "$out/bin"
|
2013-05-14 02:34:25 +02:00
|
|
|
makeWrapper "${libExecPath}/${packageName}" "$out/bin/${packageName}"
|
chromium: Add patch for user namespace sandboxing.
This patch adds support for unprivileged user namespaces found in kernel
versions 3.8.0 and later. In case of Nix, this is especially useful to prevent
having to set up setuid wrappers.
The implementation details about this patch can be found at the top of the file
"sandbox_userns.patch". My first attempt of creating this patch was by modifying
the SUID sandbox. Unfortunately this didn't work out well, because in the event
of a sandbox failure, the host zygote process waits for an answer of the inner
zygote with no timeout. Even if I'd have set a timeout, this would have been
very ugly, giving users which don't have unprivileged user namespaces a delay on
startup.
An alternative approach to the mentioned problem would be to use select() on the
host zygote, watching for changes stdout or stderr and the synchronization
socket. But even that approach isn't feasible because it requires a whole bunch
of even more patching.
Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user
namespace support enabled, where in case the feature is unavailable it reverts
back to the previous behaviour (no zygote sandbox, only seccomp BPF).
In order to support all Chromium channels, I manually changed the first hunk of
the patch to not include the starting context of the diff, because there is a
whitespace change in more recent versions of the Chromium source tree.
See SVN revision 199882 for the change (revert in this case) in detail:
http://src.chromium.org/viewvc/chrome?view=revision&revision=199882
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2013-05-15 15:47:59 +02:00
|
|
|
cp -v "${buildPath}/chrome_sandbox" "${libExecPath}/${packageName}_sandbox"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
mkdir -vp "$out/share/man/man1"
|
2013-05-14 02:34:25 +02:00
|
|
|
cp -v "${buildPath}/chrome.1" "$out/share/man/man1/${packageName}.1"
|
2012-06-15 10:19:26 +02:00
|
|
|
|
|
|
|
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
|
|
|
|
num_and_suffix="''${icon_file##*logo_}"
|
|
|
|
icon_size="''${num_and_suffix%.*}"
|
2013-05-14 02:34:25 +02:00
|
|
|
logo_output_prefix="$out/share/icons/hicolor"
|
|
|
|
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
|
2012-06-15 10:19:26 +02:00
|
|
|
mkdir -vp "$logo_output_path"
|
2012-06-19 17:56:44 +02:00
|
|
|
cp -v "$icon_file" "$logo_output_path/${packageName}.png"
|
2012-06-15 10:19:26 +02:00
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
2012-09-19 19:56:56 +02:00
|
|
|
meta = {
|
2010-09-11 16:20:46 +02:00
|
|
|
description = "Chromium, an open source web browser";
|
2011-02-12 19:47:28 +01:00
|
|
|
homepage = http://www.chromium.org/;
|
2013-01-10 03:22:45 +01:00
|
|
|
maintainers = with maintainers; [ goibhniu chaoflow aszlig ];
|
2011-02-12 19:47:28 +01:00
|
|
|
license = licenses.bsd3;
|
2012-09-19 19:56:56 +02:00
|
|
|
platforms = platforms.linux;
|
2009-10-30 13:28:44 +01:00
|
|
|
};
|
2009-10-30 09:45:58 +01:00
|
|
|
}
|