* [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
@ 2019-12-14 14:22 Adrian Perez de Castro
2019-12-14 20:21 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Adrian Perez de Castro @ 2019-12-14 14:22 UTC (permalink / raw)
To: buildroot
Add an option to enable WebKit's sandbox, which uses kernel
namespaces to isolate the processes used for Web content rendering
(WebKitWebProcess) and network/disk access (WebKitNetworkProcess).
The reason to have an option is that it needs additional dependencies
(bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
choose to deploy alternative solution (for example: putting all
of WebKit inside its own container, using systemd-nspawn or the
like).
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
package/wpewebkit/Config.in | 14 ++++++++++++++
package/wpewebkit/wpewebkit.mk | 14 ++++++++++++--
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/package/wpewebkit/Config.in b/package/wpewebkit/Config.in
index f1460db20e..37a3065761 100644
--- a/package/wpewebkit/Config.in
+++ b/package/wpewebkit/Config.in
@@ -63,6 +63,20 @@ config BR2_PACKAGE_WPEWEBKIT
if BR2_PACKAGE_WPEWEBKIT
+config BR2_PACKAGE_WPEWEBKIT_SANDBOX
+ bool "sandboxing support"
+ depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
+ depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
+ select BR2_PACKAGE_BUBBLEWRAP # runtime
+ select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
+ help
+ Enable sandboxing of the processes used for network operation,
+ disk asccess, and Web content rendering.
+
+comment "sandboxing supports needs a toolchain w/ headers >= 3.12"
+ depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
+ depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
+
config BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA
bool "multimedia support"
select BR2_PACKAGE_GSTREAMER1
diff --git a/package/wpewebkit/wpewebkit.mk b/package/wpewebkit/wpewebkit.mk
index c90e2d1421..d732938b57 100644
--- a/package/wpewebkit/wpewebkit.mk
+++ b/package/wpewebkit/wpewebkit.mk
@@ -20,8 +20,18 @@ WPEWEBKIT_CONF_OPTS = \
-DPORT=WPE \
-DENABLE_ACCESSIBILITY=OFF \
-DENABLE_API_TESTS=OFF \
- -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
- -DENABLE_MINIBROWSER=OFF
+ -DENABLE_MINIBROWSER=OFF \
+ -DSILENCE_CROSS_COMPILATION_NOTICES=ON
+
+ifeq ($(BR2_PACKAGE_WPEWEBKIT_SANDBOX),y)
+WPEWEBKIT_CONF_OPTS += \
+ -DENABLE_BUBBLEWRAP_SANDBOX=ON \
+ -DBWRAP_EXECUTABLE=/usr/bin/bwrap \
+ -DDBUS_PROXY_EXECUTABLE=/usr/bin/xdg-dbus-proxy
+WPEWEBKIT_DEPENDENCIES += libseccomp
+else
+WPEWEBKIT_CONF_OPTS += -DENABLE_BUBBLEWRAP_SANDBOX=OFF
+endif
ifeq ($(BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA),y)
WPEWEBKIT_CONF_OPTS += \
--
2.24.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
2019-12-14 14:22 [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support Adrian Perez de Castro
@ 2019-12-14 20:21 ` Thomas Petazzoni
2019-12-15 18:48 ` Adrian Perez de Castro
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2019-12-14 20:21 UTC (permalink / raw)
To: buildroot
On Sat, 14 Dec 2019 16:22:16 +0200
Adrian Perez de Castro <aperez@igalia.com> wrote:
> Add an option to enable WebKit's sandbox, which uses kernel
> namespaces to isolate the processes used for Web content rendering
> (WebKitWebProcess) and network/disk access (WebKitNetworkProcess).
>
> The reason to have an option is that it needs additional dependencies
> (bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
> choose to deploy alternative solution (for example: putting all
> of WebKit inside its own container, using systemd-nspawn or the
> like).
>
> Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> ---
> package/wpewebkit/Config.in | 14 ++++++++++++++
> package/wpewebkit/wpewebkit.mk | 14 ++++++++++++--
> 2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/package/wpewebkit/Config.in b/package/wpewebkit/Config.in
> index f1460db20e..37a3065761 100644
> --- a/package/wpewebkit/Config.in
> +++ b/package/wpewebkit/Config.in
> @@ -63,6 +63,20 @@ config BR2_PACKAGE_WPEWEBKIT
>
> if BR2_PACKAGE_WPEWEBKIT
>
> +config BR2_PACKAGE_WPEWEBKIT_SANDBOX
> + bool "sandboxing support"
> + depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
> + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
> + select BR2_PACKAGE_BUBBLEWRAP # runtime
> + select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
Didn't you forgot a:
select BR2_PACKAGE_LIBSECCOMP
here ? No need to resend just for that, can be fixed when applying.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
2019-12-14 20:21 ` Thomas Petazzoni
@ 2019-12-15 18:48 ` Adrian Perez de Castro
2019-12-15 18:55 ` Adrian Perez de Castro
2019-12-15 20:34 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Adrian Perez de Castro @ 2019-12-15 18:48 UTC (permalink / raw)
To: buildroot
Hi Thomas,
On Sat, 14 Dec 2019 21:21:50 +0100, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
> On Sat, 14 Dec 2019 16:22:16 +0200
> Adrian Perez de Castro <aperez@igalia.com> wrote:
>
> > Add an option to enable WebKit's sandbox, which uses kernel
> > namespaces to isolate the processes used for Web content rendering
> > (WebKitWebProcess) and network/disk access (WebKitNetworkProcess).
> >
> > The reason to have an option is that it needs additional dependencies
> > (bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
> > choose to deploy alternative solution (for example: putting all
> > of WebKit inside its own container, using systemd-nspawn or the
> > like).
> >
> > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> > ---
> > package/wpewebkit/Config.in | 14 ++++++++++++++
> > package/wpewebkit/wpewebkit.mk | 14 ++++++++++++--
> > 2 files changed, 26 insertions(+), 2 deletions(-)
> >
> > diff --git a/package/wpewebkit/Config.in b/package/wpewebkit/Config.in
> > index f1460db20e..37a3065761 100644
> > --- a/package/wpewebkit/Config.in
> > +++ b/package/wpewebkit/Config.in
> > @@ -63,6 +63,20 @@ config BR2_PACKAGE_WPEWEBKIT
> >
> > if BR2_PACKAGE_WPEWEBKIT
> >
> > +config BR2_PACKAGE_WPEWEBKIT_SANDBOX
> > + bool "sandboxing support"
> > + depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
> > + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
> > + select BR2_PACKAGE_BUBBLEWRAP # runtime
> > + select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
>
> Didn't you forgot a:
>
> select BR2_PACKAGE_LIBSECCOMP
>
> here ? No need to resend just for that, can be fixed when applying.
Good catch, this ?select? is indeed missing. Please add it when applying.
(Side note: I have noticed that the WebKitGTK package has the same issue,
I'll submit a patch.)
Cheers,
?Adri?n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20191215/3e4abdd5/attachment.asc>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
2019-12-15 18:48 ` Adrian Perez de Castro
@ 2019-12-15 18:55 ` Adrian Perez de Castro
2019-12-15 20:34 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Adrian Perez de Castro @ 2019-12-15 18:55 UTC (permalink / raw)
To: buildroot
Hello,
On Sun, 15 Dec 2019 20:48:16 +0200, Adrian Perez de Castro <aperez@igalia.com> wrote:
> Hi Thomas,
>
> On Sat, 14 Dec 2019 21:21:50 +0100, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
> > On Sat, 14 Dec 2019 16:22:16 +0200
> > Adrian Perez de Castro <aperez@igalia.com> wrote:
> >
> > > Add an option to enable WebKit's sandbox, which uses kernel
> > > namespaces to isolate the processes used for Web content rendering
> > > (WebKitWebProcess) and network/disk access (WebKitNetworkProcess).
> > >
> > > The reason to have an option is that it needs additional dependencies
> > > (bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
> > > choose to deploy alternative solution (for example: putting all
> > > of WebKit inside its own container, using systemd-nspawn or the
> > > like).
> > >
> > > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> > > ---
> > > package/wpewebkit/Config.in | 14 ++++++++++++++
> > > package/wpewebkit/wpewebkit.mk | 14 ++++++++++++--
> > > 2 files changed, 26 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/package/wpewebkit/Config.in b/package/wpewebkit/Config.in
> > > index f1460db20e..37a3065761 100644
> > > --- a/package/wpewebkit/Config.in
> > > +++ b/package/wpewebkit/Config.in
> > > @@ -63,6 +63,20 @@ config BR2_PACKAGE_WPEWEBKIT
> > >
> > > if BR2_PACKAGE_WPEWEBKIT
> > >
> > > +config BR2_PACKAGE_WPEWEBKIT_SANDBOX
> > > + bool "sandboxing support"
> > > + depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
> > > + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
> > > + select BR2_PACKAGE_BUBBLEWRAP # runtime
> > > + select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
> >
> > Didn't you forgot a:
> >
> > select BR2_PACKAGE_LIBSECCOMP
> >
> > here ? No need to resend just for that, can be fixed when applying.
>
> Good catch, this ?select? is indeed missing. Please add it when applying.
>
> (Side note: I have noticed that the WebKitGTK package has the same issue,
> I'll submit a patch.)
Submitted: https://patchwork.ozlabs.org/patch/1209998/
Cheers,
?Adri?n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20191215/6d3b3b6d/attachment.asc>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
2019-12-15 18:48 ` Adrian Perez de Castro
2019-12-15 18:55 ` Adrian Perez de Castro
@ 2019-12-15 20:34 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2019-12-15 20:34 UTC (permalink / raw)
To: buildroot
>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:
Hi,
>> Didn't you forgot a:
>>
>> select BR2_PACKAGE_LIBSECCOMP
>>
>> here ? No need to resend just for that, can be fixed when applying.
> Good catch, this ?select? is indeed missing. Please add it when applying.
Committed with that fixed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-12-15 20:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-14 14:22 [Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support Adrian Perez de Castro
2019-12-14 20:21 ` Thomas Petazzoni
2019-12-15 18:48 ` Adrian Perez de Castro
2019-12-15 18:55 ` Adrian Perez de Castro
2019-12-15 20:34 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.