[Buildroot] [PATCH 1/1] package/wpewebkit: add option to enable sandboxing support
Adrian Perez de Castro
aperez at igalia.com
Sun Dec 15 18:55:32 UTC 2019
Hello,
On Sun, 15 Dec 2019 20:48:16 +0200, Adrian Perez de Castro <aperez at igalia.com> wrote:
> Hi Thomas,
>
> On Sat, 14 Dec 2019 21:21:50 +0100, Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:
> > On Sat, 14 Dec 2019 16:22:16 +0200
> > Adrian Perez de Castro <aperez at igalia.com> wrote:
> >
> > > Add an option to enable WebKit's sandbox, which uses kernel
> > > namespaces to isolate the processes used for Web content rendering
> > > (WebKitWebProcess) and network/disk access (WebKitNetworkProcess).
> > >
> > > The reason to have an option is that it needs additional dependencies
> > > (bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
> > > choose to deploy alternative solution (for example: putting all
> > > of WebKit inside its own container, using systemd-nspawn or the
> > > like).
> > >
> > > Signed-off-by: Adrian Perez de Castro <aperez at igalia.com>
> > > ---
> > > package/wpewebkit/Config.in | 14 ++++++++++++++
> > > package/wpewebkit/wpewebkit.mk | 14 ++++++++++++--
> > > 2 files changed, 26 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/package/wpewebkit/Config.in b/package/wpewebkit/Config.in
> > > index f1460db20e..37a3065761 100644
> > > --- a/package/wpewebkit/Config.in
> > > +++ b/package/wpewebkit/Config.in
> > > @@ -63,6 +63,20 @@ config BR2_PACKAGE_WPEWEBKIT
> > >
> > > if BR2_PACKAGE_WPEWEBKIT
> > >
> > > +config BR2_PACKAGE_WPEWEBKIT_SANDBOX
> > > + bool "sandboxing support"
> > > + depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
> > > + depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
> > > + select BR2_PACKAGE_BUBBLEWRAP # runtime
> > > + select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
> >
> > Didn't you forgot a:
> >
> > select BR2_PACKAGE_LIBSECCOMP
> >
> > here ? No need to resend just for that, can be fixed when applying.
>
> Good catch, this “select” is indeed missing. Please add it when applying.
>
> (Side note: I have noticed that the WebKitGTK package has the same issue,
> I'll submit a patch.)
Submitted: https://patchwork.ozlabs.org/patch/1209998/
Cheers,
—Adrián
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20191215/6d3b3b6d/attachment.asc>
More information about the buildroot
mailing list