Closes #17460 Changed the wrapper derivation to produce a second output containing the sandbox. Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store). This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it. Does not trigger a Chromium rebuild. cc @cleverca22 @joachifm @jasomwip/yesman
parent
41b8c6d5a9
commit
66d5edf654
@ -0,0 +1,28 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.security.chromiumSuidSandbox; |
||||
sandbox = pkgs.chromium.sandbox; |
||||
in |
||||
{ |
||||
options.security.chromiumSuidSandbox.enable = mkEnableOption '' |
||||
Whether to install the Chromium SUID sandbox which is an executable that |
||||
Chromium may use in order to achieve sandboxing. |
||||
|
||||
If you get the error "The SUID sandbox helper binary was found, but is not |
||||
configured correctly.", turning this on might help. |
||||
|
||||
Also, if the URL chrome://sandbox tells you that "You are not adequately |
||||
sandboxed!", turning this on might resolve the issue. |
||||
|
||||
Finally, if you have <option>security.grsecurity</option> enabled and you |
||||
use Chromium, you probably need this. |
||||
''; |
||||
|
||||
config = mkIf cfg.enable { |
||||
environment.systemPackages = [ sandbox ]; |
||||
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ]; |
||||
}; |
||||
} |
Loading…
Reference in new issue