summaryrefslogtreecommitdiffstats
path: root/sandbox
Commit message (Collapse)AuthorAgeFilesLines
* Fix the POC and some of unit tests to be build andnsylvain@chromium.org2010-03-236-34/+30
| | | | | | | | | | run correctly in 64 bit. BUG=27218 Review URL: http://codereview.chromium.org/1168002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42392 0039d316-1c4b-4281-b951-d872f2087c98
* Add #include to fix compile errors on "Linux Perf (webkit.org)" bot.yutak@chromium.org2010-03-181-0/+1
| | | | | | | | | | TBR=markus BUG=none TEST=none Review URL: http://codereview.chromium.org/1107001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41931 0039d316-1c4b-4281-b951-d872f2087c98
* Add a first version of a tool for analyzing performance data output by themarkus@chromium.org2010-03-182-0/+197
| | | | | | | | | | sandbox. BUG=none TEST=none Review URL: http://codereview.chromium.org/1076001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41917 0039d316-1c4b-4281-b951-d872f2087c98
* Compute and pring the time that it takes to execute system calls. This datamarkus@chromium.org2010-03-1820-84/+327
| | | | | | | | | | | | is going to be skewed slightly, as calling gettimeofday() by itself also takes a little bit of time. But it should be good enough to allow us to see where we have performance bottlenecks. TEST=none BUG=none Review URL: http://codereview.chromium.org/997009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41905 0039d316-1c4b-4281-b951-d872f2087c98
* Marked UnloadDllTest.UnloadAviCapDllWithPatching as flaky.glider@chromium.org2010-03-171-1/+1
| | | | | | | | TBR=cpu Review URL: http://codereview.chromium.org/1002009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41832 0039d316-1c4b-4281-b951-d872f2087c98
* Third change to port sandbox to 64 bitscpu@chromium.org2010-03-165-35/+28
| | | | | | | | | | | | - Enable registry, file and event policy - Now sbox_integration_tests.exe runs and all tests pass BUG=27218 TEST=included Review URL: http://codereview.chromium.org/992003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41673 0039d316-1c4b-4281-b951-d872f2087c98
* Re-land second sandbox round of changescpu@chromium.org2010-03-1320-172/+351
| | | | | | | | | | | | | | | | | | | | | - broke integration tests See http://codereview.chromium.org/757001 BUG=27218 TEST=included No change in the original files. The only changes are in the files: sandbox/src/registry_dispatcher.cc sandbox/src/registry_dispatcher.h sandbox/src/filesystem_dispatcher.cc Because now even in 32 bits the handles map to void pointers Review URL: http://codereview.chromium.org/873006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41523 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 41481 - Secound round of sbox changes for 64 bit portericu@google.com2010-03-1217-340/+155
| | | | | | | | | | | | | | | | | | Handling pointer sized items Beefing up unit tests Beefing up integration tests Enabling Process, Thread and Token IPCs Making validation tests compile again BUG=27218 TEST= unit tests included Review URL: http://codereview.chromium.org/757001 TBR=cpu@chromium.org Review URL: http://codereview.chromium.org/871008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41491 0039d316-1c4b-4281-b951-d872f2087c98
* Secound round of sbox changes for 64 bit portcpu@chromium.org2010-03-1217-155/+340
| | | | | | | | | | | | | | | - Handling pointer sized items - Beefing up unit tests - Beefing up integration tests - Enabling Process, Thread and Token IPCs - Making validation tests compile again BUG=27218 TEST= unit tests included Review URL: http://codereview.chromium.org/757001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41481 0039d316-1c4b-4281-b951-d872f2087c98
* Fix warning that is now an error.craig.schlenter@chromium.org2010-03-101-2/+1
| | | | | | | | C:\b\slave\chromium-rel-xp\build\src\sandbox\src\sandbox.cc(16) : warning C4010: single-line comment contains line-continuation character Review URL: http://codereview.chromium.org/788003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41164 0039d316-1c4b-4281-b951-d872f2087c98
* Make sandbox code compile as "chromium_code".craig.schlenter@chromium.org2010-03-102-2/+6
| | | | | | | | | | | | | | | | This sets up useful flags like -Wall -Werror etc. Also squash a compiler warning: sandbox/linux/suid/process_util_linux.c: In function ‘AdjustOOMScore’: sandbox/linux/suid/process_util_linux.c:25: error: format ‘%lu’ expects type ‘long unsigned int’, but argument 4 has type ‘pid_t’ BUG=none TEST=try-servers Review URL: http://codereview.chromium.org/733001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41161 0039d316-1c4b-4281-b951-d872f2087c98
* Added missing copyright header.markus@chromium.org2010-03-0822-0/+88
| | | | | | | | BUG=32501 TEST=none Review URL: http://codereview.chromium.org/672011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40946 0039d316-1c4b-4281-b951-d872f2087c98
* - Add a custom allocator for STL objects. This fixes sandbox failures thatmarkus@chromium.org2010-03-0813-218/+643
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | were observed on some machines (in particular in 32bit mode). - Some more changes to avoid calling into glibc when we can make a direct system call, instead. These particular call sites were unlikely to cause any problems. But it makes the code easier to audit if we avoid all unnecessary calls into glibc. - In 64bit mode, gettimeofday() is handled by vsyscalls and tends to be cheap. In 32bit mode, it is just a regular system call. Some users rely on being able to call gettimeofday() at a very high rate (up to thousands of consecutive calls). Recognize this system call pattern and optimize for it. - Add debugging option that allows us to warn about expensive system calls. In many cases, these warnings can then be used to optimize the sandboxed application. - Fix compilation on newer versions of gcc. - Changed the x86-32 version of the code that we use when intercepting system calls. Previously, we would use CALL to jump to the set of instructions that we had relocated. But we made the mistake of allowing relocation of instructions that reference %esp. This doesn't work, as CALL modifies the stack. We now avoid using CALL and instead jump directly. On x86-32 that requires the use of a PUSH/RET combination as there is no 32bit wide JMP instruction. The x86-64 version of the code was already written in a way that would avoid this particular problem. (I would like to thank Craig Schlenter for his exceptional detective work in tracking down the root cause of this bug!) - For debugging purposes, injected a really small library (less than 4kB) and discovered that some of our memory map manipulations implicitly relied on mappings to be at least two pages long. Fixed the code that made this incorrect assumption. - For really small libraries, the runtime linker can choose a different more compact layout. Our computation of the ASR offset did not know how to deal with that. Fixed by explicitly looking for a ".text" segment instead of looking for a PT_DYNAMIC section. - Closed a file descriptor that we kept open longer than needed. - Removed some unused code. - Added copyright headers TEST=tested on i386 and x86-64 BUG=36133 Review URL: http://codereview.chromium.org/661438 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40900 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Add code for all the interceptors.rvargas@google.com2010-03-055-14/+317
| | | | | | | | | | | | Still waiting for IPC to be able to test anything. BUG=27218 TEST=none Review URL: http://codereview.chromium.org/669128 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40700 0039d316-1c4b-4281-b951-d872f2087c98
* Porting sbox IPC to 64 bitcpu@chromium.org2010-03-039-49/+65
| | | | | | | | | | | | | | | | | -IPC unit tests enabled -Integration IPCTest test enabled -All unit test pass (62 tests) Other tests require interceptor fu. BUG=27218 TEST= unit tests included Review URL: http://codereview.chromium.org/661299 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40485 0039d316-1c4b-4281-b951-d872f2087c98
* Be more restrictive when finding file names for libraries that need patching.markus@chromium.org2010-02-241-2/+17
| | | | | | | | | | | | | | | | | | | | | This avoids false positives if the directory name matches one of the well-known library names (e.g. ld). False positives not only result in a performance hit at startup, because we are now trying to instrument libraries that don't actually contain any system calls; but even worse than this, we could try to instrument system calls in the sandboxing code itself. And those system calls are deliberately coded so that they will not get rewritten. Fortunately, none of this is a security problem. If we accidentally rewrite system calls that weren't supposed to be rewritten, we will just crash on startup. TEST=the sandbox now works on the buildbots BUG=36133 Review URL: http://codereview.chromium.org/652188 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39839 0039d316-1c4b-4281-b951-d872f2087c98
* Explicitly ask for unsigned values when comparing addresses. Not only is thismarkus@chromium.org2010-02-241-2/+2
| | | | | | | | | | | code hard to understand (and possibly broken) otherwise, some versions of GCC complain about the comparison without the cast. TEST=none BUG=none Review URL: http://codereview.chromium.org/657034 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39838 0039d316-1c4b-4281-b951-d872f2087c98
* Treat calls to lstat() and lstat64() the same as calls to stat(). In practise,markus@chromium.org2010-02-243-17/+72
| | | | | | | | | | | | | | | this means the calls will still be denied. But we now return a correct return code. But more importantly, this change brings the source code in line with the code of the stand-alone opensource sandbox. Wherever possible, we try to keep both code bases identical. TEST=none BUG=none Review URL: http://codereview.chromium.org/657040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39837 0039d316-1c4b-4281-b951-d872f2087c98
* If /tmp is not a POSIX file system, try to use /dev/shm for creating ourmarkus@chromium.org2010-02-231-3/+58
| | | | | | | | | | | temporary directory. BUG=30926 TEST=tested with tmpfs, ext3 and NFS Review URL: http://codereview.chromium.org/650177 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39679 0039d316-1c4b-4281-b951-d872f2087c98
* Pulled out Callback code into base/callback.h. This is the first step ↵akalin@chromium.org2010-02-193-0/+3
| | | | | | | | | | | | | towards redoing the Callback interfaces. Added and removed includes as needed. BUG=35223 TEST=trybots Review URL: http://codereview.chromium.org/646061 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39419 0039d316-1c4b-4281-b951-d872f2087c98
* linux: change a type in the sandbox to fix a warningevan@chromium.org2010-02-151-1/+1
| | | | | | | | | int and long are the same size on the platforms we care about, but gcc doesn't like comparing int against LONG_MAX. Review URL: http://codereview.chromium.org/604056 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39071 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Some cleanup after the previous changes.rvargas@google.com2010-02-119-555/+465
| | | | | | | | | | | No real code change. BUG=27218 TEST=current tests. Review URL: http://codereview.chromium.org/597050 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38837 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Add support for EAT interceptions in 64 bit.rvargas@google.com2010-02-107-20/+128
| | | | | | | | | | BUG=27218 TEST=manual integration tests. Review URL: http://codereview.chromium.org/600035 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38681 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Finish the interception manager support for x64.rvargas@google.com2010-02-0422-152/+343
| | | | | | | | | | | | | | Unit tests and integration tests run (as long as they don't depend on IPCs), both regular and under SANDBOX_EXPORTS. The interception agent is there, but no EAT interceptions yet. BUG=27218 TEST=unit tests/ integration tests. Review URL: http://codereview.chromium.org/565026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38143 0039d316-1c4b-4281-b951-d872f2087c98
* seccomp: allow dup/dup2evan@chromium.org2010-02-031-0/+2
| | | | | | | | | | This is needed for opening the renderer<->plugin channel. TEST=flash works in seccomp mode Review URL: http://codereview.chromium.org/563024 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38037 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Add the 64-bit service resolver and a fewrvargas@google.com2010-02-017-157/+324
| | | | | | | | | | | extra bits of infrastructure. BUG=27218 TEST=none Review URL: http://codereview.chromium.org/558032 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37764 0039d316-1c4b-4281-b951-d872f2087c98
* Add a DCHECK to make sure that SpawnTarget is not callednsylvain@chromium.org2010-02-011-0/+7
| | | | | | | | | | | | from multiple threads. In chrome all child processes are started from the PROCESS_LAUNCHER thread. BUG=28798 Review URL: http://codereview.chromium.org/548192 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37712 0039d316-1c4b-4281-b951-d872f2087c98
* Sandbox: Add the base code for the 46-bit service resolver.rvargas@google.com2010-01-292-1/+304
| | | | | | | | | BUG=27218 TEST=none Review URL: http://codereview.chromium.org/552223 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37468 0039d316-1c4b-4281-b951-d872f2087c98
* Improve handling and testing of reparse points.rvargas@google.com2010-01-2710-101/+295
| | | | | | | | | BUG=28804 TEST=unit tests. Review URL: http://codereview.chromium.org/553080 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37286 0039d316-1c4b-4281-b951-d872f2087c98
* Fix integer overflow in sboxcpu@chromium.org2010-01-223-29/+67
| | | | | | | | | BUG=32915 TEST= unit test included Review URL: http://codereview.chromium.org/553061 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36923 0039d316-1c4b-4281-b951-d872f2087c98
* Make sure we can't create reg links from the sandbox.nsylvain@chromium.org2010-01-224-6/+68
| | | | | | | | BUG=28805 Review URL: http://codereview.chromium.org/555041 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36895 0039d316-1c4b-4281-b951-d872f2087c98
* Prepare the sandbox for integration with NaCl broker for 64-bit Windows. The ↵gregoryd@google.com2010-01-174-84/+137
| | | | | | | | | | broker currently launches with --no-sandbox, so the 64-bit version of the sandbox library is there only to allow successful build. BUG=27218 TEST=none Review URL: http://codereview.chromium.org/543058 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36469 0039d316-1c4b-4281-b951-d872f2087c98
* Try the SANDOX_INERT flag in CreateRestrictedTokencpu@chromium.org2010-01-121-1/+5
| | | | | | | | | | | | - It might help with the AppLocker problem. See bug below. BUG=10576 TEST=existing tests suffice Review URL: http://codereview.chromium.org/541018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35990 0039d316-1c4b-4281-b951-d872f2087c98
* linux: make the seccomp sandbox work againevan@chromium.org2010-01-081-12/+54
| | | | | | | | | | | | | | | | | We were hitting a stack overflow on renderer startup, because of the following: When we patch out syscalls, we need a scratch space near (within a 32-bit jump) of the original code. We pick the scratch space as the end of the nearest empty region available before the code we're patching. For the vdso region, the stack lies directly before it and so the region we'd grab was directly before the stack. This meant that as soon as the stack attempted to grow it'd fail because it ran into our patch region, and we'd hit a stack overflow. The fix is to specially note when we're near the stack region, and instead put our scratch space as far away from the stack as possible. Review URL: http://codereview.chromium.org/518071 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35759 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: Adjust /proc/pid/oom_adj to sacrifice plugin and renderer processes ↵thestig@chromium.org2009-12-104-1/+83
| | | | | | | | | | to the OOM killer. BUG=29752 TEST=During out of memory conditions, Linux kernel picks a plugin/renderer over the browser process. Review URL: http://codereview.chromium.org/467058 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34222 0039d316-1c4b-4281-b951-d872f2087c98
* 64-bit compatibility changes for the sandbox codegregoryd@google.com2009-11-117-12/+27
| | | | | | | | | This CL contains some basic changes that eliminate some of the warnings that appear when the sandbox code is compiled for 64-bit Windows. This is part of a larger effort to support Native Client on 64-bit Windows (that will require the sandbox to support 64-bit Windows). TEST=will be tested when the rest of the code builds for 64-bit Windows BUG=27218 Review URL: http://codereview.chromium.org/378030 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31625 0039d316-1c4b-4281-b951-d872f2087c98
* Sort the source files in sandbox.gypgregoryd@google.com2009-11-091-70/+70
| | | | | | Review URL: http://codereview.chromium.org/375018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31449 0039d316-1c4b-4281-b951-d872f2087c98
* Allow the seccomp sandbox to be enabled, even if the suid sandbox hasmarkus@chromium.org2009-11-0720-103/+141
| | | | | | | | | | already put a chroot() jail around it. The only tricky part is access to /proc/self/maps, but we can safely pass in an open file descriptor. BUG=26527 Review URL: http://codereview.chromium.org/371047 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31372 0039d316-1c4b-4281-b951-d872f2087c98
* linux: compile fix for chrome_sandbox on 64-bit karmicevan@chromium.org2009-11-041-0/+1
| | | | | | | | You need <limits.h> for ULLONG_MAX. Review URL: http://codereview.chromium.org/355025 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30978 0039d316-1c4b-4281-b951-d872f2087c98
* Only enable the seccomp sandbox, if the machine actually has kernel support formarkus@chromium.org2009-11-043-1/+66
| | | | | | | | | | | | | this feature, and if no other obstacle prevents us from enabling it. Otherwise, we print a warning message and continue running without the sandbox. This is not ideal, but given the non-trivial number of users who might not have seccomp enabled by default, this seems the prudent approach. BUG=26521 Review URL: http://codereview.chromium.org/341092 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30966 0039d316-1c4b-4281-b951-d872f2087c98
* Allow chrome_sandbox to act as a helper program and find the socket with a ↵thestig@chromium.org2009-11-044-4/+168
| | | | | | | | | | given inode number. BUG=none TEST=none Review URL: http://codereview.chromium.org/312003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30931 0039d316-1c4b-4281-b951-d872f2087c98
* Use scoped_array (not scoped_ptr) with new[].kuchhal@chromium.org2009-10-236-7/+7
| | | | | | | | | BUG=24266 TEST=No functional change so make sure nothing changes. Review URL: http://codereview.chromium.org/307045 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29843 0039d316-1c4b-4281-b951-d872f2087c98
* GCC's optimizer is getting more aggressive. It is no longer goodmarkus@chromium.org2009-10-223-7/+14
| | | | | | | | | | | | | | | | | | | | enough to just pass the address of a structure as an input parameter to assembly code. The assembly code must also mark "memory" as getting clobbered, even if it only wants to read from the structure. This seems to be a result of strict aliasing and the lack of an ability for the assembly code to clearly say which pointers it dereferences. Furthermore, if the assembly code touches the stack (e.g. uses "push"), it must now mark the stack pointer as getting clobbered. Otherwise, GCC assumes that the red zone won't be clobbered, and that it is possible to use the stack pointer as an input register. BUG=none TEST=none Review URL: http://codereview.chromium.org/320008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29829 0039d316-1c4b-4281-b951-d872f2087c98
* - found all symbols that we directly access from assembly and marked them as ↵markus@chromium.org2009-10-2113-486/+210
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | internal. This ensures that the linker won't complain about IP relative addressing for symbols that could be overridden at run-time. - avoided using "g" register constraints, as there has been a report of some versions of GCC erroneously generating code that is no longer position independant when this constraint is used. - removed the old code that fork()'s a child to try to extend mappings of libraries at run-time. This code always was somewhat fragile and caused a measurable performance penalty when the sandbox was started. Replaced with code that remapped just the very first page. This can actually be done in a running process without disrupting the use of the libraries. - added a special case for the instrumentation code allowing it to deal with jumps between the VDSO and VSyscalls even if the instructions would normally not be eligible for interception as they are IP relative. After making this change, we can again find sufficiently large code snippets to rewrite them successfully. This is only a concern on x86_64. - fixed a bug that would erroneously look for IP relative addressing on x86_32. It doesn't exist for that architecture. TEST=none BUG=http://code.google.com/p/chromium/issues/detail?id=18337 Review URL: http://codereview.chromium.org/306036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29726 0039d316-1c4b-4281-b951-d872f2087c98
* Change yet again the way we do ResolveNTFunctionPtrcpu@chromium.org2009-10-141-2/+1
| | | | | | | | | | | | | - This version is different from last three TEST=chrome should start and you can browse BUG=11789 Review URL: http://codereview.chromium.org/275014 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29039 0039d316-1c4b-4281-b951-d872f2087c98
* Add comments setting emacs and vim tab width and expansion variables.sgk@google.com2009-10-061-0/+6
| | | | | | | | BUG=none TEST=successful builds Review URL: http://codereview.chromium.org/256059 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28089 0039d316-1c4b-4281-b951-d872f2087c98
* Change again the way we do ResolveNTFunctionPtrcpu@chromium.org2009-09-291-3/+7
| | | | | | | | | | | | - This version is different from last two TEST=chrome should start and you can browse BUG=11789 Review URL: http://codereview.chromium.org/246026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27453 0039d316-1c4b-4281-b951-d872f2087c98
* Preliminary fixes to enable link dependent objects.maruel@chromium.org2009-09-241-1/+5
| | | | | | | | BUG=22926 TEST=still builds Review URL: http://codereview.chromium.org/231020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27112 0039d316-1c4b-4281-b951-d872f2087c98
* Force inclusion of build/common.gypi for all chromium gyp files.yaar@chromium.org2009-09-151-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | Why: Simpler build code. If everybody includes it, it should be included automatically. Why now: The webkit chromium builds need it be specified, since can't default to build/common.gypi. What was done: 1. build/common.gypi's contents were moved to a new file build/gyp_chromium.gypi 2. tools/gyp/gyp_chromium was moved to build/gyp_chromium and made to automatically include build/gyp_chromium.gypi. 3. lots of gyp files were fixed to not refer to build/common.gypi any more. 4. o3d which also builds independently of chrome, was fixed to have a gyp_o3d that includes gyp_chromium.gypi too. 5. build/common.gypi was left empty, because there are some external projects that still refer to it. Things that are left to do after this patch is in: 1. The following external files (in other repositories) need to stop include common.gypi ./third_party/hunspell/hunspell.gyp ./third_party/icu/icu.gyp ./v8/tools/gyp/v8.gyp 2. Once nobody refers to common.gypi anymore, delete common.gypi -or- Delete gyp_chromium.gypi and move its content back to common.gypi Tested on mac, win and linux. On win, got a few unit tests errors on chrome bookmarks, which should not be related. I'm running again with clobber to verify. Review URL: http://codereview.chromium.org/206006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26302 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: add support for SELinux.agl@chromium.org2009-09-151-1/+10
| | | | | | | | | | | | | | | | | | This patch adds support for a selinux GYP variable which, when set to one, does the following: * Removes the seccomp sandbox from the compile * Removes support for SUID sandboxing from the zygote * Performs a dynamic transition, in the zygote, to chromium_renderer_t. This code requires that the system policy have a sensible set of access vectors for the chromium_renderer_t type. Such a policy will be found in sandbox/selinux in the future. http://codereview.chromium.org/203071 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26257 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-01-31 12:57:44 +0000