mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-28 09:53:10 +00:00
c06c636604
This patch adds support for unprivileged user namespaces found in kernel versions 3.8.0 and later. In case of Nix, this is especially useful to prevent having to set up setuid wrappers. The implementation details about this patch can be found at the top of the file "sandbox_userns.patch". My first attempt of creating this patch was by modifying the SUID sandbox. Unfortunately this didn't work out well, because in the event of a sandbox failure, the host zygote process waits for an answer of the inner zygote with no timeout. Even if I'd have set a timeout, this would have been very ugly, giving users which don't have unprivileged user namespaces a delay on startup. An alternative approach to the mentioned problem would be to use select() on the host zygote, watching for changes stdout or stderr and the synchronization socket. But even that approach isn't feasible because it requires a whole bunch of even more patching. Patch was tested with older kernels (3.2.x, 3.7.x) and kernels without user namespace support enabled, where in case the feature is unavailable it reverts back to the previous behaviour (no zygote sandbox, only seccomp BPF). In order to support all Chromium channels, I manually changed the first hunk of the patch to not include the starting context of the diff, because there is a whitespace change in more recent versions of the Chromium source tree. See SVN revision 199882 for the change (revert in this case) in detail: http://src.chromium.org/viewvc/chrome?view=revision&revision=199882 Signed-off-by: aszlig <aszlig@redmoonstudios.org> |
||
|---|---|---|
| .. | ||
| arora | ||
| chromium | ||
| conkeror | ||
| elinks | ||
| firefox | ||
| icecat-3 | ||
| kwebkitpart | ||
| links | ||
| links2 | ||
| lynx | ||
| midori | ||
| mozilla | ||
| mozilla-plugins | ||
| netsurf | ||
| opera | ||
| rekonq | ||
| uzbl | ||
| vimprobable2 | ||
| w3m | ||