How to change path to chrome-sandbox permanently?

[Peter]

Hello.

I managed to download Chromium source code and successfully compile it (release build) under Linux (Ubuntu 14.04 64-bit)
with the help of Chromium wiki. As far as I know, path to chrome-sandbox is hard-coded into the Chromium binary, so in order
to run Chromium in normal mode (without --no-sandbox) I need to set the path before the build process. Suppose I want to set it
to /usr/lib/chromium-browser/chrome-sandbox.How do I do it? According to some website, the chrome-sandbox path is stored
in GYP variable linux_sandbox_path. Honestly, I know very little about how GYP works (all I know is it generates build.ninja files)
or about syntax of .gyp and .gypi files. I thought all I had to do was execute either:
 

gyp_chromium -Dlinux_sandbox_path=/usr/lib/chromium-browser/chrome-sandbox

or:

export GYP_DEFINES="linux_sandbox_path=/usr/lib/chromium-browser/chrome-sandbox"
gyp_chromium

then run gclient runhooks and finally recompile Chromium with ninja -C out/Release chrome.

Unfortunately when I do this, ninja shows "no work to do" message, probably because
no source file has been changed since last build. Does it mean I have to recompile the whole
project for this one little change to take effect or is there a faster way? What is the default
value of linux_sandbox_path anyway? Having grepped through source code tree I found only one reference
to that variable, in breakpad/src/build/common.gypi, but it's set to empty value there (or so it looks).
After I ran:
 
gyp_chromium -Dlinux_sandbox_path=/usr/lib/chromium-browser/chrome-sandbox

the value of linux_sandbox_path in breakpad/src/build/common.gypi 
remained empty - is it normal, shouldn't it have changed to the one set by me?

BTW, I know that mode of chrome-sandbox must be 4755 and the file must be owned by root,
so that won't be a problem.

[Jeremy Roman]

I'm not an expert on the sandbox code, but it doesn't look like that gyp variable does anything anymore (it should probably be removed, if that's the case -- I don't know if breakpad needs it for anything else).

It looks like SetuidSandboxHost::GetSandboxBinaryPath (in src/sandbox/linux/suid/client/setuid_sandbox_host.cc) is probably what you want to modify. Currently it seems to be looking for a "chrome-sandbox" binary next to the Chrome binary (e.g. for Google Chrome, in /opt/google/chrome).

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Rob Wu]

The sandbox is found as follows:

- If chrome-sandbox exists at the location of the Chromium binary, then it is used.

- Otherwise (if chrome-sandbox does not exists along your chromium binary), then the environment variable CHROME_DEVEL_SANDBOX will be used.

If neither method returned a path, or if the file is not owned by root with permissions 4755, then Chrome refuses to start up unless --no-sandbox is passed.

So, to get back to your title, make sure that you do not compile the chrome_sandbox target with ninja, and export the following environment variable, e.g. by putting the following in your .bashrc:
export CHROME_DEVEL_SANDBOX=/usr/lib/chromium-browser/chrome-sandbox

Kind regards,

 Rob

 https://robwu.nl

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Peter]

Thank you for your answer, but now I'm facing further problems:

1. as I mentioned before, I compiled Chromium, but the binary doesn't work as
expected, an error message depends on where the binary is located.

a) if I try to run it from its original directory (src/out/Release) I get the following error:

[5:5:0100/000000:ERROR:zygote_linux.cc(584)] write: Broken pipe

Of course I didn't forget to copy chrome-sandbox binary to src/out/Release
(if I had I would've got "Running without the SUID sandbox!" error instead).

b) if I copy Chromium binary to another location (probably /usr/bin/chromium-browser, but I'm not sure now)
and try to run it from there, I get a different error:

[0305/140633:FATAL:isolate_holder.cc(71)] Couldn't mmap v8 natives data file
Aborted (core dumped)

Any idea what's going on here? Looks like two unrelated problems, but I may be wrong.


2. Is debug build the default one? Contrary to what I said last time, it seems that
I unintentionally built Chromium in debug mode instead of release mode. I can judge
it by the size of the binary (almost 150 MB). gyp_chromium, when run with no parameters,
created build.ninja files in both out/Debug and out/Release directories. I assumed those were
 two different files, one for debug build and the other one for release build, but it turned out
that both files were the same. Why does it work that way (the same build file created in both
directories) and how do I force a release build? By a random search I found two potential solutions,
either:

GYP_GENERATOR_FLAGS=config=Release && ./build/gyp_chromium

or:

GYP_DEFINES=buildtype=Official && ./build/gyp_chromium

but I don't know the difference between them.

3. (Less important, but I'm curious anyway)

Normally I wouldn't need it, because I already have
a sandbox binary in /usr/lib/chromium-browser directory,
but how to build it from source code? I thought it would be built along with
Chromium as a dependency, but apparently it's not - after
ninja had done its job with Chromium I couldn't find sandbox
binary in out/Release. If now I try to invoke ninja with sandbox
as a separate target:

ninja -C out/Release sandbox

it returns a "no work to do" status.

If I attempt to make a clean build of sandbox alone,
its source files get compiled, but no sandbox binary
appears in out/Release. What am I missing?

[Josh Horwich]

I was able to build the sandbox binary using the chrome_sandbox target:

ninja -C out/Release chrome_sandbox   # note it's underscore, not dash

[Peter]

I don't want to start a new thread, so I'll ask here once again, hoping for answers to a few more questions.

1. I managed to run a compiled Chromium binary, but there's a warning message in a browser window that says:
"Google API keys are missing. Some functionality of Chromium will be disabled". What are Google API keys and
what do I need them for? If they're really necessary, how can I install them? If they're not, how do I suppress
the warning message?

2. I asked this before, but still don't know the answer. What exactly does the "Couldn't mmap v8 natives data file"
error mean? It shows up whenever I move the executable to a location different than out/Release directory
(where Chromium was built) and attempt to run it from there. I suspect it has something to do with
snapshot_blob.bin and/or mksnapshot files, also located in out/Release, but what exactly are they responsible for?

3. I also asked this before, but am still not sure. How to make a release build instead of a debug build?
Is the only difference to call:

GYP_GENERATOR_FLAGS=config=Release && ./build/gyp_chromium

instead of plain ./build/gyp_chromium?

4. What are the exact command line flags to build exactly the same Chromium binary as the one
I get when installing the browser with apt-get install chromium-browser?

[Lei Zhang]

1. http://www.chromium.org/developers/how-tos/api-keys (found by
searching for "chromium api keys")

2. Yes, you probably forgot to copy natives_blob.bin and
snapshot_blob.bin. They are V8's "initial snapshot" data, whatever
that is.

3. ninja -C out/Release vs ninja -C out/Debug

4. We don't distribute the Debian / Ubuntu chromium-browser package.
Talk to your distro's chromium-browser package maintainer.

[Julien Tinnes]

Hi,

if you are a developer, see https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment

The script at "build/update-linux-sandbox.sh" should help you do the right thing.

Julien

--

[Peter]

3. ninja -C out/Release vs ninja -C out/Debug

That's what I first thought, but in my case ninja -C out/Release built a binary whose
size was almost 150 MB (I passed no flags to GYP and set no environment variables).
The size of release binary should be around 30 MB, so something must have gone wrong.
Besides, as I mentioned earlier, after "gclient runhooks" had completed, my Debug and Release
directories contained exactly the same build.ninja file (i compared them with diff).
Is that the way it should be?

[Lei Zhang]

The current Google Chrome release has a chrome binary that is 86 MB. I
don't know why you think a chrome binary should be only 30 MB.

The build.ninja file is indeed the same for out/Debug and out/Release,
but other .ninja files are not the same. Look at
out/Debug/obj/base/base.ninja vs the Release copy for example.

[Peter]

The current Google Chrome release has a chrome binary that is 86 MB. I
don't know why you think a chrome binary should be only 30 MB.

I don't know where I read it, but I admit it sounded suspiciously small.
Still, my binary, for some reason, is 147 MB which is a lot more than 86 MB.
How can I reliably check if what I built is a debug or release executable?
 

The build.ninja file is indeed the same for out/Debug and out/Release,
but other .ninja files are not the same. Look at
out/Debug/obj/base/base.ninja vs the Release copy for example.
 

Thanks, I'll try to give it a look tomorrow (I don't have access to my other
computer right now).

[Lei Zhang]

Try running the strip command on the binary and see what the size
after that. The 86 MB size I mentioned is for the current stable
channel, whereas the current dev channel binary is 94 MB.

Before running the strip command, the chrome binary in out/Debug is
usually 500 MB or larger.

[Torne (Richard Coles)]

As Lei mentioned, you need to strip the binary before you will see the "real" size. We include symbol information in the binaries even in release mode, because it's trivial to strip them before distributing them, and having the symbols makes development/debugging on release builds (sometimes necessary for performance/etc work) more convenient.

[Peter]

Ok, I have one more question. If GYP, by default, produces appropriate build.ninja files for both debug and release build,
then what's the purpose of GYP config=Release flag? Is it some legacy stuff no longer used?

[Thiago Farina]

On Wednesday, March 11, 2015, Peter <pil...@poczta.onet.pl> wrote:

Ok, I have one more question. If GYP, by default, produces appropriate build.ninja files for both debug and release build,
then what's the purpose of GYP config=Release flag? Is it some legacy stuff no longer used?

I think if you don't specify config, then it generates both Debug and Release. On other hand if you specify config=Debug, then only Debug will be generated.

--

Thiago Farina

[Bruce]

The GYP config=Release option is not normally needed, but it can be useful.

Normally when you build the ninja files (build/gyp_chromium) you get both Debug and Release ninja files, in out/Debug and out/Release. You can then do a debug or release build by using the -C option to ninja.

The config=Debug option is needed if you want different settings for your debug and release builds. For instance, it probably doesn't make sense (certainly not on Windows) to have a Debug build that is buildtype=Official. So, this series of steps builds the Debug project files, then sets the buildtype to Official and builds the Release project files:

export GYP_DEFINES=buildtype=Official

export GYP_GENERATOR_FLAGS=config=Debug

build/gyp_chromium

export GYP_GENERATOR_FLAGS=config=Release

export GYP_DEFINES=buildtype=Official

build/gyp_chromium

Then you can use ninja to build the Debug or Release versions of chrome, with their separate settings.

ninja -C out/Release chrome

ninja -C out/Debug chrome

[Bruce]

Unfortunately an e-mail glitch put a spurious setting of GYP_DEFINES=buildtype=Official at the top of my list of commands (in a different font), which then made them nonsensical. Here are the five shell commands to build Debug and Release project files with different settings:

export GYP_GENERATOR_FLAGS=config=Debug

build/gyp_chromium

export GYP_GENERATOR_FLAGS=config=Release

export GYP_DEFINES=buildtype=Official

build/gyp_chromium