[Buildroot] [PATCH 0/3] Add option to enable WebKitGTK's sandboxing support

[Buildroot] [PATCH 0/3] Add option to enable WebKitGTK's sandboxing support

[Adrian Perez de Castro]

Hi all,

This patch series allows using a new security hardening feature added in
WebKitGTK 2.26: sandboxing of WebKit's Web content rendering and network/disk
access processes (WebKitWebProcess and WebKitNetworkProcess, respectively).

The sandboxing feature uses the new bubblewrap and xdg-dbus-proxy packages,
as well as libseccomp (which already had a package in in Buildroot).

Feedback and question on the patch series are welcome, as always :)

Cheers,

Adrian Perez de Castro (3):
  package/bubblewrap: new package
  package/xdg-dbus-proxy: new package
  package/webkitgtk: add option to enable sandboxing support

 DEVELOPERS                                    |  2 +
 package/Config.in                             |  2 +
 package/bubblewrap/Config.in                  |  7 ++
 package/bubblewrap/bubblewrap.hash            |  5 ++
 package/bubblewrap/bubblewrap.mk              | 40 +++++++++
 ...un-the-Bubblewrap-executable-when-co.patch | 87 +++++++++++++++++++
 package/webkitgtk/Config.in                   | 15 ++++
 package/webkitgtk/webkitgtk.mk                | 12 ++-
 package/xdg-dbus-proxy/Config.in              | 14 +++
 package/xdg-dbus-proxy/xdg-dbus-proxy.hash    |  5 ++
 package/xdg-dbus-proxy/xdg-dbus-proxy.mk      | 17 ++++
 11 files changed, 205 insertions(+), 1 deletion(-)
 create mode 100644 package/bubblewrap/Config.in
 create mode 100644 package/bubblewrap/bubblewrap.hash
 create mode 100644 package/bubblewrap/bubblewrap.mk
 create mode 100644 package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch
 create mode 100644 package/xdg-dbus-proxy/Config.in
 create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.hash
 create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.mk

-- 
2.23.0

[Buildroot] [PATCH 1/3] package/bubblewrap: new package

[Adrian Perez de Castro]

Bubblewrap is a sandboxing tool based on kernel namespaces, typically
used as lower-level infastructure by other end-user tools e.g. Flatpak.

https://github.com/containers/bubblewrap

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 DEVELOPERS                         |  1 +
 package/Config.in                  |  1 +
 package/bubblewrap/Config.in       |  7 ++++++
 package/bubblewrap/bubblewrap.hash |  5 ++++
 package/bubblewrap/bubblewrap.mk   | 40 ++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 package/bubblewrap/Config.in
 create mode 100644 package/bubblewrap/bubblewrap.hash
 create mode 100644 package/bubblewrap/bubblewrap.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 67a0fef088..bf23b3e1e7 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -73,6 +73,7 @@ F:	package/jack1/
 
 N:	Adrian Perez de Castro <aperez@igalia.com>
 F:	package/brotli/
+F:	package/bubblewrap/
 F:	package/cog/
 F:	package/libepoxy/
 F:	package/libwpe/
diff --git a/package/Config.in b/package/Config.in
index dbf297f4df..412ea1129f 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2193,6 +2193,7 @@ menu "System tools"
 	source "package/atop/Config.in"
 	source "package/attr/Config.in"
 	source "package/audit/Config.in"
+	source "package/bubblewrap/Config.in"
 	source "package/cgroupfs-mount/Config.in"
 	source "package/circus/Config.in"
 	source "package/coreutils/Config.in"
diff --git a/package/bubblewrap/Config.in b/package/bubblewrap/Config.in
new file mode 100644
index 0000000000..a5220e3fd5
--- /dev/null
+++ b/package/bubblewrap/Config.in
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_BUBBLEWRAP
+	bool "bubblewrap"
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Unprivileged sandbox tool based on Linux namespaces.
+
+	  https://github.com/projectatomic/bubblewrap
diff --git a/package/bubblewrap/bubblewrap.hash b/package/bubblewrap/bubblewrap.hash
new file mode 100644
index 0000000000..c8177d00f5
--- /dev/null
+++ b/package/bubblewrap/bubblewrap.hash
@@ -0,0 +1,5 @@
+# Locally computed:
+sha256 c6a45f51794a908b76833b132471397a7413f07620af08e76c273d9f7b364dff bubblewrap-0.3.3.tar.xz
+
+# Hash for license files:
+sha256 b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c COPYING
diff --git a/package/bubblewrap/bubblewrap.mk b/package/bubblewrap/bubblewrap.mk
new file mode 100644
index 0000000000..cb02594373
--- /dev/null
+++ b/package/bubblewrap/bubblewrap.mk
@@ -0,0 +1,40 @@
+################################################################################
+#
+# bubblewrap
+#
+################################################################################
+
+BUBBLEWRAP_VERSION = 0.3.3
+BUBBLEWRAP_SITE = https://github.com/containers/bubblewrap/releases/download/v$(BUBBLEWRAP_VERSION)
+BUBBLEWRAP_SOURCE = bubblewrap-$(BUBBLEWRAP_VERSION).tar.xz
+BUBBLEWRAP_DEPENDENCIES = host-pkgconf libcap
+
+BUBBLEWRAP_LICENSE = LGPL-2.0-or-later
+BUBBLEWRAP_LICENSE_FILES = COPYING
+
+BUBBLEWRAP_CONF_OPTS = \
+	--enable-require-userns=no \
+	--disable-man \
+	--disable-sudo \
+	--with-priv-mode=none
+
+ifeq ($(BR2_PACKAGE_BASH_COMPLETION),y)
+BUBBLEWRAP_CONF_OPTS += --with-bash-completion-dir=/usr/share/bash-completion/completions
+else
+BUBBLEWRAP_CONF_OPTS += --without-bash-completion-dir
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+BUBBLEWRAP_CONF_OPTS += --enable-selinux
+BUBBLEWRAP_DEPENDENCIES += libselinux
+else
+BUBBLEWRAP_CONF_OPTS += --disable-selinux
+endif
+
+# We need to mark bwrap as setuid, in case the kernel
+# has user namespaces disabled for non-root users.
+define BUBBLEWRAP_PERMISSIONS
+	/usr/bin/bwrap f 1755 0 0 - - - - -
+endef
+
+$(eval $(autotools-package))
-- 
2.23.0

[Buildroot] [PATCH 2/3] package/xdg-dbus-proxy: new package

[Adrian Perez de Castro]

xdg-dbus-proxy is a filtering proxy for D-Bus connections, which can
be used to limit access to a set of services. Typically it is used in
combination with containers to provide them with access to certain
services running outside the container.

https://github.com/flatpak/xdg-dbus-proxy

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 DEVELOPERS                                 |  1 +
 package/Config.in                          |  1 +
 package/xdg-dbus-proxy/Config.in           | 14 ++++++++++++++
 package/xdg-dbus-proxy/xdg-dbus-proxy.hash |  5 +++++
 package/xdg-dbus-proxy/xdg-dbus-proxy.mk   | 17 +++++++++++++++++
 5 files changed, 38 insertions(+)
 create mode 100644 package/xdg-dbus-proxy/Config.in
 create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.hash
 create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index bf23b3e1e7..698d4f4799 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -81,6 +81,7 @@ F:	package/webkitgtk/
 F:	package/woff2/
 F:	package/wpebackend-fdo/
 F:	package/wpewebkit/
+F:	package/xdg-dbus-proxy/
 
 N:	Adrien Gallou?t <adrien@gallouet.fr>
 F:	package/bird/
diff --git a/package/Config.in b/package/Config.in
index 412ea1129f..6d9a442905 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2267,6 +2267,7 @@ menu "System tools"
 	source "package/tpm2-totp/Config.in"
 	source "package/unscd/Config.in"
 	source "package/util-linux/Config.in"
+	source "package/xdg-dbus-proxy/Config.in"
 	source "package/xen/Config.in"
 	source "package/xvisor/Config.in"
 endmenu
diff --git a/package/xdg-dbus-proxy/Config.in b/package/xdg-dbus-proxy/Config.in
new file mode 100644
index 0000000000..94c144fad7
--- /dev/null
+++ b/package/xdg-dbus-proxy/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_XDG_DBUS_PROXY
+	bool "xdg-dbus-proxy"
+	depends on BR2_USE_WCHAR # libglib2 -> gettext
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
+	depends on BR2_USE_MMU # libglib2
+	select BR2_PACKAGE_LIBGLIB2
+	help
+	  Filtering proxy for D-Bus connections.
+
+	  https://github.com/flatpak/xdg-dbus-proxy
+
+comment "xdg-dbus-proxy needs a toolchain w/ wchar, threads"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/xdg-dbus-proxy/xdg-dbus-proxy.hash b/package/xdg-dbus-proxy/xdg-dbus-proxy.hash
new file mode 100644
index 0000000000..37bda78436
--- /dev/null
+++ b/package/xdg-dbus-proxy/xdg-dbus-proxy.hash
@@ -0,0 +1,5 @@
+# From https://github.com/flatpak/xdg-dbus-proxy/releases/tag/0.1.2
+sha256 1749d6f9f46dcc9edc87725641cf56cf91dcad1b01707891ea0850c1000c520f xdg-dbus-proxy-0.1.2.tar.xz
+
+# Hash for license files:
+sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING
diff --git a/package/xdg-dbus-proxy/xdg-dbus-proxy.mk b/package/xdg-dbus-proxy/xdg-dbus-proxy.mk
new file mode 100644
index 0000000000..668e8f67e8
--- /dev/null
+++ b/package/xdg-dbus-proxy/xdg-dbus-proxy.mk
@@ -0,0 +1,17 @@
+################################################################################
+#
+# bubblewrap
+#
+################################################################################
+
+XDG_DBUS_PROXY_VERSION = 0.1.2
+XDG_DBUS_PROXY_SITE = https://github.com/flatpak/xdg-dbus-proxy/releases/download/$(XDG_DBUS_PROXY_VERSION)
+XDG_DBUS_PROXY_SOURCE = xdg-dbus-proxy-$(XDG_DBUS_PROXY_VERSION).tar.xz
+XDG_DBUS_PROXY_DEPENDENCIES = host-pkgconf libglib2
+
+XDG_DBUS_PROXY_LICENSE = LGPL-2.1
+XDG_DBUS_PROXY_LICENSE_FILES = COPYING
+
+XDG_DBUS_PROXY_CONF_OPTS = --disable-man
+
+$(eval $(autotools-package))
-- 
2.23.0

[Buildroot] [PATCH 3/3] package/webkitgtk: add option to enable sandboxing support

[Adrian Perez de Castro]

Add an option to enable WebKit's sandbox, which uses kernel
namespaces to isolate the processes used for Web content rendering
(WebKitWebProcess) and network/disk access (WebKitNetworkProcess).

The reason to have an option is that it needs additional dependencies
(bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
choose to deploy alternative solutions (for example: putting all
of WebKit inside its own container, using systemd-nspawn or the
like).

Patch "0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch"
is imported from upstream, as it is needed to avoid trying to run
the "bwrap" command from the target during cross-compilation.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 ...un-the-Bubblewrap-executable-when-co.patch | 87 +++++++++++++++++++
 package/webkitgtk/Config.in                   | 15 ++++
 package/webkitgtk/webkitgtk.mk                | 12 ++-
 3 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch

diff --git a/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch b/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch
new file mode 100644
index 0000000000..3381cbbfb6
--- /dev/null
+++ b/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch
@@ -0,0 +1,87 @@
+From a725f6fbe6630a980f5ac74d79fd3e18557190bc Mon Sep 17 00:00:00 2001
+From: "aperez at igalia.com"
+ <aperez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Sun, 15 Sep 2019 13:30:01 +0000
+Subject: [PATCH xserver 2/2] [GTK][WPE] Do not run the Bubblewrap executable
+ when configuring for cross-compilation
+ https://bugs.webkit.org/show_bug.cgi?id=201340
+
+Reviewed by Konstantin Tokarev.
+
+* Source/cmake/BubblewrapSandboxChecks.cmake: Do not run the
+Bubblewrap executable when cross-compiling to guess its version.
+Emit a warning instead and trust that valid run-time paths will
+be set using the BWRAP_EXECUTABLE and DBUS_PROXY_EXECUTABLE
+variables. While at it, fix the regular expression used to match
+the version string in the Bubblewrap output when not cross-compiling.
+
+Fetch from: https://bugs.webkit.org/show_bug.cgi?id=201340
+Upstream-Status: Accepted
+Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
+
+---
+ ChangeLog                                  | 14 ++++++++
+ Source/cmake/BubblewrapSandboxChecks.cmake | 41 ++++++++++++++--------
+ 2 files changed, 41 insertions(+), 14 deletions(-)
+
+diff --git a/Source/cmake/BubblewrapSandboxChecks.cmake b/Source/cmake/BubblewrapSandboxChecks.cmake
+index ac8fbbf3c8e..73cf4ffed35 100644
+--- a/Source/cmake/BubblewrapSandboxChecks.cmake
++++ b/Source/cmake/BubblewrapSandboxChecks.cmake
+@@ -3,20 +3,6 @@ if (ENABLE_BUBBLEWRAP_SANDBOX)
+     if (NOT BWRAP_EXECUTABLE)
+         message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+     endif ()
+-    add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
+-
+-    execute_process(
+-        COMMAND "${BWRAP_EXECUTABLE}" --version
+-        RESULT_VARIABLE BWRAP_RET
+-        OUTPUT_VARIABLE BWRAP_OUTPUT
+-    )
+-    if (BWRAP_RET)
+-        message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
+-    endif ()
+-    string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}")
+-    if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
+-        message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
+-    endif ()
+ 
+     find_package(Libseccomp)
+     if (NOT LIBSECCOMP_FOUND)
+@@ -27,5 +13,32 @@ if (ENABLE_BUBBLEWRAP_SANDBOX)
+     if (NOT DBUS_PROXY_EXECUTABLE)
+         message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+     endif ()
++
++    if (NOT CMAKE_CROSSCOMPILING)
++        execute_process(
++            COMMAND "${BWRAP_EXECUTABLE}" --version
++            RESULT_VARIABLE BWRAP_RET
++            OUTPUT_VARIABLE BWRAP_OUTPUT
++        )
++        if (BWRAP_RET)
++            message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
++        endif ()
++        string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" BWRAP_VERSION "${BWRAP_OUTPUT}")
++        if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
++            message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
++        endif ()
++    elseif (NOT SILENCE_CROSS_COMPILATION_NOTICES)
++        message(NOTICE
++            "***--------------------------------------------------------***\n"
++            "***  Cannot check Bubblewrap version when cross-compiling. ***\n"
++            "***  The target system MUST have version 0.3.1 or newer.   ***\n"
++            "***  Use the BWRAP_EXECUTABLE and DBUS_PROXY_EXECUTABLE    ***\n"
++            "***  variables to set the run-time paths for the 'bwrap'   ***\n"
++            "***  and 'xdg-dbus-proxy' programs.                        ***\n"
++            "***--------------------------------------------------------***"
++        )
++    endif ()
++
++    add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
+     add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}")
+ endif ()
+-- 
+2.23.0
+
diff --git a/package/webkitgtk/Config.in b/package/webkitgtk/Config.in
index db67c89042..8d2f622a06 100644
--- a/package/webkitgtk/Config.in
+++ b/package/webkitgtk/Config.in
@@ -57,6 +57,21 @@ config BR2_PACKAGE_WEBKITGTK
 
 if BR2_PACKAGE_WEBKITGTK
 
+config BR2_PACKAGE_WEBKITGTK_SANDBOX
+	bool "sandboxing support"
+	default n
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
+	select BR2_PACKAGE_BUBBLEWRAP # runtime
+	select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
+	help
+	  Enable sandboxing of the processes used for network operation,
+	  disk access, and Web content rendering.
+
+comment "sandboxing support needs a toolchain w/ headers >= 3.12"
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
+
 config BR2_PACKAGE_WEBKITGTK_HTTPS
 	bool "HTTPS support"
 	depends on !BR2_STATIC_LIBS # libsoup -> glib-networking, gnutls
diff --git a/package/webkitgtk/webkitgtk.mk b/package/webkitgtk/webkitgtk.mk
index 0eef7cafcd..17701f4b14 100644
--- a/package/webkitgtk/webkitgtk.mk
+++ b/package/webkitgtk/webkitgtk.mk
@@ -17,19 +17,29 @@ WEBKITGTK_DEPENDENCIES = host-ruby host-python host-gperf \
 	libtasn1 libxml2 libxslt openjpeg sqlite webp woff2
 WEBKITGTK_CONF_OPTS = \
 	-DENABLE_API_TESTS=OFF \
-	-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
 	-DENABLE_GEOLOCATION=OFF \
 	-DENABLE_GTKDOC=OFF \
 	-DENABLE_INTROSPECTION=OFF \
 	-DENABLE_MINIBROWSER=ON \
 	-DENABLE_SPELLCHECK=ON \
 	-DPORT=GTK \
+	-DSILENCE_CROSS_COMPILATION_NOTICES=ON \
 	-DUSE_LIBNOTIFY=OFF \
 	-DUSE_LIBHYPHEN=OFF \
 	-DUSE_OPENJPEG=ON \
 	-DUSE_WOFF2=ON \
 	-DUSE_WPE_RENDERER=OFF
 
+ifeq ($(BR2_PACKAGE_WEBKITGTK_SANDBOX),y)
+WEBKITGTK_CONF_OPTS += \
+	-DENABLE_BUBBLEWRAP_SANDBOX=ON \
+	-DBWRAP_EXECUTABLE=/usr/bin/bwrap \
+	-DDBUS_PROXY_EXECUTABLE=/usr/bin/xdg-dbus-proxy
+WEBKITGTK_DEPENDENCIES += libseccomp
+else
+WEBKITGTK_CONF_OPTS += -DENABLE_BUBBLEWRAP_SANDBOX=OFF
+endif
+
 ifeq ($(BR2_PACKAGE_WEBKITGTK_MULTIMEDIA),y)
 WEBKITGTK_CONF_OPTS += \
 	-DENABLE_VIDEO=ON \
-- 
2.23.0

[Buildroot] [PATCH 1/3] package/bubblewrap: new package

[Peter Korsgaard]

>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:

 > Bubblewrap is a sandboxing tool based on kernel namespaces, typically
 > used as lower-level infastructure by other end-user tools e.g. Flatpak.

 > https://github.com/containers/bubblewrap

 > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
 > ---
 >  DEVELOPERS                         |  1 +
 >  package/Config.in                  |  1 +
 >  package/bubblewrap/Config.in       |  7 ++++++
 >  package/bubblewrap/bubblewrap.hash |  5 ++++
 >  package/bubblewrap/bubblewrap.mk   | 40 ++++++++++++++++++++++++++++++
 >  5 files changed, 54 insertions(+)
 >  create mode 100644 package/bubblewrap/Config.in
 >  create mode 100644 package/bubblewrap/bubblewrap.hash
 >  create mode 100644 package/bubblewrap/bubblewrap.mk

 > diff --git a/DEVELOPERS b/DEVELOPERS
 > index 67a0fef088..bf23b3e1e7 100644
 > --- a/DEVELOPERS
 > +++ b/DEVELOPERS
 > @@ -73,6 +73,7 @@ F:	package/jack1/
 
 >  N:	Adrian Perez de Castro <aperez@igalia.com>
 >  F:	package/brotli/
 > +F:	package/bubblewrap/
 >  F:	package/cog/
 >  F:	package/libepoxy/
 >  F:	package/libwpe/
 > diff --git a/package/Config.in b/package/Config.in
 > index dbf297f4df..412ea1129f 100644
 > --- a/package/Config.in
 > +++ b/package/Config.in
 > @@ -2193,6 +2193,7 @@ menu "System tools"
 >  	source "package/atop/Config.in"
 >  	source "package/attr/Config.in"
 >  	source "package/audit/Config.in"
 > +	source "package/bubblewrap/Config.in"
 >  	source "package/cgroupfs-mount/Config.in"
 >  	source "package/circus/Config.in"
 >  	source "package/coreutils/Config.in"
 > diff --git a/package/bubblewrap/Config.in b/package/bubblewrap/Config.in
 > new file mode 100644
 > index 0000000000..a5220e3fd5
 > --- /dev/null
 > +++ b/package/bubblewrap/Config.in
 > @@ -0,0 +1,7 @@
 > +config BR2_PACKAGE_BUBBLEWRAP
 > +	bool "bubblewrap"
 > +	select BR2_PACKAGE_LIBCAP

It uses fork(), so it needs to depend on BR2_USE_MMU. It also uses
TEMP_FAILURE_RETRY which isn't available on musl, so it should only be
available for glibc/uclibc - Notice that 0.4.0 was recently released
which according to the changelog fixes builds against musl.

Committed with these fixes, thanks.

I wonder what kernel namespacing options are required and/or
recommended? For required options we should add logic in linux/linux.mk
to enable them, and for optional/recommended options it would be good to
mention them in the help text.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/bubblewrap: new package

[Adrian Perez de Castro]

Hello,

On Mon, 02 Dec 2019 17:22:52 +0100, Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:
> 
>  > Bubblewrap is a sandboxing tool based on kernel namespaces, typically
>  > used as lower-level infastructure by other end-user tools e.g. Flatpak.
> 
>  > https://github.com/containers/bubblewrap
> 
>  > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
>  > ---
>  >  DEVELOPERS                         |  1 +
>  >  package/Config.in                  |  1 +
>  >  package/bubblewrap/Config.in       |  7 ++++++
>  >  package/bubblewrap/bubblewrap.hash |  5 ++++
>  >  package/bubblewrap/bubblewrap.mk   | 40 ++++++++++++++++++++++++++++++
>  >  5 files changed, 54 insertions(+)
>  >  create mode 100644 package/bubblewrap/Config.in
>  >  create mode 100644 package/bubblewrap/bubblewrap.hash
>  >  create mode 100644 package/bubblewrap/bubblewrap.mk
> 
>  > diff --git a/DEVELOPERS b/DEVELOPERS
>  > index 67a0fef088..bf23b3e1e7 100644
>  > --- a/DEVELOPERS
>  > +++ b/DEVELOPERS
>  > @@ -73,6 +73,7 @@ F:	package/jack1/
>  
>  >  N:	Adrian Perez de Castro <aperez@igalia.com>
>  >  F:	package/brotli/
>  > +F:	package/bubblewrap/
>  >  F:	package/cog/
>  >  F:	package/libepoxy/
>  >  F:	package/libwpe/
>  > diff --git a/package/Config.in b/package/Config.in
>  > index dbf297f4df..412ea1129f 100644
>  > --- a/package/Config.in
>  > +++ b/package/Config.in
>  > @@ -2193,6 +2193,7 @@ menu "System tools"
>  >  	source "package/atop/Config.in"
>  >  	source "package/attr/Config.in"
>  >  	source "package/audit/Config.in"
>  > +	source "package/bubblewrap/Config.in"
>  >  	source "package/cgroupfs-mount/Config.in"
>  >  	source "package/circus/Config.in"
>  >  	source "package/coreutils/Config.in"
>  > diff --git a/package/bubblewrap/Config.in b/package/bubblewrap/Config.in
>  > new file mode 100644
>  > index 0000000000..a5220e3fd5
>  > --- /dev/null
>  > +++ b/package/bubblewrap/Config.in
>  > @@ -0,0 +1,7 @@
>  > +config BR2_PACKAGE_BUBBLEWRAP
>  > +	bool "bubblewrap"
>  > +	select BR2_PACKAGE_LIBCAP
> 
> It uses fork(), so it needs to depend on BR2_USE_MMU. It also uses
> TEMP_FAILURE_RETRY which isn't available on musl, so it should only be
> available for glibc/uclibc - Notice that 0.4.0 was recently released
> which according to the changelog fixes builds against musl.
> 
> Committed with these fixes, thanks.

\o/

I will post a follow patch updating to version 0.4.0 when I manage to get a
little bit of spare time, so we can support the package on Musl as well.

> I wonder what kernel namespacing options are required and/or
> recommended? For required options we should add logic in linux/linux.mk
> to enable them, and for optional/recommended options it would be good to
> mention them in the help text.

Mount namespaces are mandatory (I think those cannot be disabled in the kernel
config, I'll have to check to be sure), while User, IPC, PID, Network, and UTS
namespaces are optional. Side note: If User namespaces are enabled in the
kernel, we could avoid installing the ?bwrap? binary setuid root, is this
something desirable?

Cheers,
?Adri?n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20191206/e9e4484d/attachment.asc>

[Buildroot] [PATCH 1/3] package/bubblewrap: new package

[Peter Korsgaard]

>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:

Hi,

 >> Committed with these fixes, thanks.

 > \o/

;)

 > I will post a follow patch updating to version 0.4.0 when I manage to get a
 > little bit of spare time, so we can support the package on Musl as well.

Great, thanks.


 >> I wonder what kernel namespacing options are required and/or
 >> recommended? For required options we should add logic in linux/linux.mk
 >> to enable them, and for optional/recommended options it would be good to
 >> mention them in the help text.

 > Mount namespaces are mandatory (I think those cannot be disabled in the kernel
 > config, I'll have to check to be sure), while User, IPC, PID, Network, and UTS
 > namespaces are optional.

Ok. Perhaps we should mention something about that in the help text?


 > Side note: If User namespaces are enabled in the kernel, we could
 > avoid installing the ?bwrap? binary setuid root, is this something
 > desirable?

I believe so, but there is no simple way to detect that at build time,
so the only thing we can do is to add a sub option to install the bwrap
binary suid or not (default to y) with a help text describing the user
namespace dependency.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/3] package/xdg-dbus-proxy: new package

[Peter Korsgaard]

>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:

 > xdg-dbus-proxy is a filtering proxy for D-Bus connections, which can
 > be used to limit access to a set of services. Typically it is used in
 > combination with containers to provide them with access to certain
 > services running outside the container.

 > https://github.com/flatpak/xdg-dbus-proxy

 > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
 > ---
 >  DEVELOPERS                                 |  1 +
 >  package/Config.in                          |  1 +
 >  package/xdg-dbus-proxy/Config.in           | 14 ++++++++++++++
 >  package/xdg-dbus-proxy/xdg-dbus-proxy.hash |  5 +++++
 >  package/xdg-dbus-proxy/xdg-dbus-proxy.mk   | 17 +++++++++++++++++
 >  5 files changed, 38 insertions(+)
 >  create mode 100644 package/xdg-dbus-proxy/Config.in
 >  create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.hash
 >  create mode 100644 package/xdg-dbus-proxy/xdg-dbus-proxy.mk

 > +++ b/package/xdg-dbus-proxy/xdg-dbus-proxy.mk
 > @@ -0,0 +1,17 @@
 > +################################################################################
 > +#
 > +# bubblewrap
 > +#
 > +################################################################################
 > +
 > +XDG_DBUS_PROXY_VERSION = 0.1.2
 > +XDG_DBUS_PROXY_SITE = https://github.com/flatpak/xdg-dbus-proxy/releases/download/$(XDG_DBUS_PROXY_VERSION)
 > +XDG_DBUS_PROXY_SOURCE = xdg-dbus-proxy-$(XDG_DBUS_PROXY_VERSION).tar.xz
 > +XDG_DBUS_PROXY_DEPENDENCIES = host-pkgconf libglib2
 > +
 > +XDG_DBUS_PROXY_LICENSE = LGPL-2.1

It looks to be LGP-2.1+:

grep -rs 'any later version' **/*.c
dbus-proxy.c: * version 2.1 of the License, or (at your option) any later version.
flatpak-proxy.c: * version 2.1 of the License, or (at your option) any later version.
tests/test-proxy.c: * version 2.1 of the License, or (at your option) any later version.

So I changed that and committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/3] package/webkitgtk: add option to enable sandboxing support

[Peter Korsgaard]

>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:

 > Add an option to enable WebKit's sandbox, which uses kernel
 > namespaces to isolate the processes used for Web content rendering
 > (WebKitWebProcess) and network/disk access (WebKitNetworkProcess).

 > The reason to have an option is that it needs additional dependencies
 > (bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
 > choose to deploy alternative solutions (for example: putting all
 > of WebKit inside its own container, using systemd-nspawn or the
 > like).

 > Patch "0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch"
 > is imported from upstream, as it is needed to avoid trying to run
 > the "bwrap" command from the target during cross-compilation.

 > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard