Linux: add support for SELinux.

This patch adds support for a selinux GYP variable which, when set to
one, does the following:
  * Removes the seccomp sandbox from the compile
  * Removes support for SUID sandboxing from the zygote
  * Performs a dynamic transition, in the zygote, to
    chromium_renderer_t.

This code requires that the system policy have a sensible set of
access vectors for the chromium_renderer_t type. Such a policy will be
found in sandbox/selinux in the future.

http://codereview.chromium.org/203071


git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26257 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 15 insertions, 0 deletions

diff --git a/build/common.gypi b/build/common.gypi
index aeb5d11..7b8ad12 100644
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -112,6 +112,9 @@
     # sandbox the zygote process and, thus, all renderer processes.
     'linux_sandbox_path%': '',
 
+    # Set this to true to enable SELinux support.
+    'selinux%': 0,
+
     'conditions': [
       ['OS=="linux"', {
         'conditions': [
@@ -189,6 +192,9 @@
       ['chromeos==1', {
         'defines': ['OS_CHROMEOS=1'],
       }],
+      ['selinux==1', {
+        'defines': ['CHROMIUM_SELINUX=1'],
+      }],
       ['coverage!=0', {
         'conditions': [
           ['OS=="mac"', {
diff --git a/build/linux/system.gyp b/build/linux/system.gyp
index 7b6d82c..5275373 100644
--- a/build/linux/system.gyp
+++ b/build/linux/system.gyp
@@ -135,6 +135,15 @@
         ],
       },
     },
+    {
+      'target_name': 'selinux',
+      'type': 'settings',
+      'link_settings': {
+        'libraries': [
+          '-lselinux',
+        ],
+      },
+    },
 # TODO(evanm): temporarily disabled while we figure out whether to depend
 # on gnome-keyring etc.
 # http://code.google.com/p/chromium/issues/detail?id=12351