Reland "Stop removing rpath_for_built_shared_libraries from chrome_sandbox"
This is a reland of 43a48785f23a65d5b3f0cefac086d67c3dea4eb0
After [1], the RPATH is no longer set for sanitizer builds. Also, after [2],
the setuid bit is no longer set on chrome_sandbox anyway.
[1] https://chromium.googlesource.com/chromium/src.git/+/f002a96e9b788fe71fd1c773a4bc891940c409d8
[2] https://chromium.googlesource.com/chromiumos/chromite.git/+/de3a6f421ec7e32c45fd4131f50d2c0a98fcdd56
Original change's description:
> Stop removing rpath_for_built_shared_libraries from chrome_sandbox
>
> For instrumented builds like tsan, this causes chrome_sandbox to reference the
> wrong libc++.so due to a missing RPATH.
>
> Since all configurations we ship don't set RPATH, we don't have to worry about
> security vulnerabilities introduced by RPATH=$ORIGIN. There's also a check to
> enforce this in chrome/installer/linux/common/installer.include.
>
> BUG=850682
>
> Change-Id: I25307bd9de388009acffdbb8de6717210873655b
> Reviewed-on: https://chromium-review.googlesource.com/1092077
> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
> Reviewed-by: Dirk Pranke <dpranke@chromium.org>
> Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#566099}
Bug: 850682
Change-Id: I82fda0bd5b8f0222d64dcf6c4b7d1199c7e5e585
Reviewed-on: https://chromium-review.googlesource.com/1150254
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578346}diff --git a/build/config/gcc/BUILD.gn b/build/config/gcc/BUILD.gn
index 2fe0f4e..14a2ec9 100644
--- a/build/config/gcc/BUILD.gn
+++ b/build/config/gcc/BUILD.gn
@@ -98,10 +98,6 @@
# Settings for executables.
config("executable_ldconfig") {
- # WARNING! //sandbox/linux:chrome_sandbox will not pick up this
- # config, because it is a setuid binary that needs special flags.
- # If you add things to this config, make sure you check to see
- # if they should be added to that target as well.
ldflags = []
if (is_android) {
ldflags += [
diff --git a/sandbox/linux/BUILD.gn b/sandbox/linux/BUILD.gn
index 6f43c6cb..754fe5a 100644
--- a/sandbox/linux/BUILD.gn
+++ b/sandbox/linux/BUILD.gn
@@ -319,25 +319,6 @@
# TODO fix this and re-enable this warning.
"-Wno-sign-compare",
]
-
- import("//build/config/compiler/compiler.gni")
- import("//build/config/sanitizers/sanitizers.gni")
- if (is_component_build || using_sanitizer) {
- # WARNING! We remove this config so that we don't accidentally
- # pick up the //build/config:rpath_for_built_shared_libraries
- # sub-config. However, this means that we need to duplicate any
- # other flags that executable_config might have.
- configs -= [ "//build/config:executable_config" ]
- if (!use_gold) {
- ldflags = [ "-Wl,--disable-new-dtags" ]
- }
- }
-
- # We also do not want to pick up any of the other sanitizer
- # flags (i.e. we do not want to build w/ the sanitizers at all).
- # This is safe to delete unconditionally, because it is part of the
- # default configs and empty when not using the sanitizers.
- configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ]
}
}
