VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.
The hardened.patch implements two things:
* Set the binary directory to the setuid-wrappers dir so that
VboxSVC calls them instead of the binaries from the store path. The
reason behind this is because nothing in the Nix store can have the
setuid flag.
* Excempt /nix/store from the group permission check, because while it
is group-writeable indeed it also has the sticky bit set (and also
the whole store is mounted read-only on most NixOS systems), so we're
checking on that as well.
Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Traversing the full source tree is unneccessary, because the calls are
only done within make files. Hence we only substitute make files now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Thanks to @iElectric for the notification, although I'm not really sure
whether this will fix the following failed Hydra build:
http://hydra.nixos.org/build/17609086/nixlog/1/raw
The reason is that this failure doesn't happen on every build, but let's
see whether it will happen again now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is a response to 1fdefd5562.
We are already using bundled protobuf for the beta and dev channels and
it also breaks regularly with about every new Chromium release, so let's
use bundled protobuf for all channels now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now create Nix expressions within the plugin output path(s) which
then will be imported and incorporated into the wrapper. This makes it
easier for other plugins to provide configuration settings to the main
Chromium wrapper.
Of course, in order to allow for external plugins we need to allow
passing a list of plugins to the Chromium derivation, but right now we
keep it internal and only use it for things such as NaCl (as soon as we
support it, of course).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Basic functionality works. No plugins yet (TODO: GExiv2, pyICU, webkit,
osmgsmmap).
Gives error messages about errors in GTK installation regarding
localization. No impact other than the messages visible.
This introduces Chromium 39 as the new stable version along with a bunch
of fixes.
Fixes#2799, particularily the PDF plugin, which now is open source and
thus no longer an issue.
Also fixes#3219 and merges #2906, so we no longer get a crash while
trying to bring up the print preview dialog.
Thanks to @edwtjo for the CUPS version bump.
* chromium: Switch to use open-source PDF plugin.
* cups: bump 1.5.4 -> 1.7.5
* chromium: Allow env vars for passing plugin paths.
* chromium: Update all channels to latest versions.
* protobuf: Clean up and update to version 2.6.1.
The Chromium PDF plugin is now available as open source software and is
already included in the Chromium source tree in current stable, so there
is no need to extract it from the Chrome binary package anymore.
See release announcement at http://blog.foxitsoftware.com/?p=641
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Introduces environment variables to set plugin base paths. The schema
for these is like NIX_CHROMIUM_PLUGIN_PATH_<N>. Where <N> is the path
type we want to change, the supported (full) variable names are:
* NIX_CHROMIUM_PLUGIN_PATH_ALL
* NIX_CHROMIUM_PLUGIN_PATH_PEPPERFLASH
* NIX_CHROMIUM_PLUGIN_PATH_FILEFLASH
* NIX_CHROMIUM_PLUGIN_PATH_PDF
* NIX_CHROMIUM_PLUGIN_PATH_FILE_EFFECTS
* NIX_CHROMIUM_PLUGIN_PATH_NACL
* NIX_CHROMIUM_PLUGIN_PATH_PNACL
* NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE
Whereas NIX_CHROMIUM_PLUGIN_PATH_ALL is the plugin base path for every
path which is not set explicitly, so by setting ..._ALL and not setting
..._WIDEVINE, the widevine plugin will be searched in the directory
specified using ..._ALL.
Right now, the only plugin where this is used is widevine, and it still
doesn't properly work yet.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
With this commit, the following new upstream versions are introduced:
stable: 38.0.2125.101 -> 39.0.2171.65
beta: 39.0.2171.19 -> 40.0.2214.10
dev: 40.0.2182.3 -> 41.0.2224.3
We can now remove missing_alg_import.patch, because version 39 is nom
stable and thus fixes the missing include directive upstream.
However, starting with version 40, we hit a few bugs with system
protobuf, so we're disabling it for every version >=40 to avoid
runtime/startup errors.
Here is the stable channel announcement for version 39 on the official
blog:
http://googlechromereleases.blogspot.de/2014/11/stable-channel-update_18.html
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
