0

Reland "Stop removing rpath_for_built_shared_libraries from chrome_sandbox"

This is a reland of 43a48785f2

After [1], the RPATH is no longer set for sanitizer builds.  Also, after [2],
the setuid bit is no longer set on chrome_sandbox anyway.

[1] f002a96e9b
[2] de3a6f421e

Original change's description:
> Stop removing rpath_for_built_shared_libraries from chrome_sandbox
>
> For instrumented builds like tsan, this causes chrome_sandbox to reference the
> wrong libc++.so due to a missing RPATH.
>
> Since all configurations we ship don't set RPATH, we don't have to worry about
> security vulnerabilities introduced by RPATH=$ORIGIN.  There's also a check to
> enforce this in chrome/installer/linux/common/installer.include.
>
> BUG=850682
>
> Change-Id: I25307bd9de388009acffdbb8de6717210873655b
> Reviewed-on: https://chromium-review.googlesource.com/1092077
> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
> Reviewed-by: Dirk Pranke <dpranke@chromium.org>
> Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#566099}

Bug: 850682
Change-Id: I82fda0bd5b8f0222d64dcf6c4b7d1199c7e5e585
Reviewed-on: https://chromium-review.googlesource.com/1150254
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578346}
This commit is contained in:
Tom Anderson
2018-07-26 17:15:04 +00:00
committed by Commit Bot
parent 63b093741c
commit c7b993b3e8
2 changed files with 0 additions and 23 deletions
build/config/gcc
sandbox/linux

@ -98,10 +98,6 @@ config("rpath_for_built_shared_libraries") {
# Settings for executables.
config("executable_ldconfig") {
# WARNING! //sandbox/linux:chrome_sandbox will not pick up this
# config, because it is a setuid binary that needs special flags.
# If you add things to this config, make sure you check to see
# if they should be added to that target as well.
ldflags = []
if (is_android) {
ldflags += [

@ -319,25 +319,6 @@ if (is_linux) {
# TODO fix this and re-enable this warning.
"-Wno-sign-compare",
]
import("//build/config/compiler/compiler.gni")
import("//build/config/sanitizers/sanitizers.gni")
if (is_component_build || using_sanitizer) {
# WARNING! We remove this config so that we don't accidentally
# pick up the //build/config:rpath_for_built_shared_libraries
# sub-config. However, this means that we need to duplicate any
# other flags that executable_config might have.
configs -= [ "//build/config:executable_config" ]
if (!use_gold) {
ldflags = [ "-Wl,--disable-new-dtags" ]
}
}
# We also do not want to pick up any of the other sanitizer
# flags (i.e. we do not want to build w/ the sanitizers at all).
# This is safe to delete unconditionally, because it is part of the
# default configs and empty when not using the sanitizers.
configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ]
}
}