From patchwork Fri Sep 20 15:31:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adrian Perez de Castro <aperez@igalia.com>
X-Patchwork-Id: 1165275
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.133; helo=hemlock.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=igalia.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=igalia.com header.i=@igalia.com
	header.b="S6/MaakA"; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 46Zd3r6F6Gz9s00
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Sat, 21 Sep 2019 01:31:36 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 3B2BD87F84;
	Fri, 20 Sep 2019 15:31:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 4nm6FRlz7wFo; Fri, 20 Sep 2019 15:31:32 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id B989087F38;
	Fri, 20 Sep 2019 15:31:32 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	by ash.osuosl.org (Postfix) with ESMTP id E959F1BF5DB
	for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 15:31:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id E56E68626E
	for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 15:31:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BuJeRElRfOyA for <buildroot@lists.busybox.net>;
	Fri, 20 Sep 2019 15:31:29 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from fanzine.igalia.com (fanzine.igalia.com [91.117.99.155])
	by fraxinus.osuosl.org (Postfix) with ESMTPS id 1734F8626F
	for <buildroot@buildroot.org>; Fri, 20 Sep 2019 15:31:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com;
	s=20170329;
	h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From;
	bh=z7xlYLaccQG1fz5/IHFobmPkbchyfP8KoTudIvKk4L8=;
	b=S6/MaakARHxhL47d80Do75VLNY8bRarP37oLMf2F0OUgohuZtPod1kx4C0wurzybNscY/bH/RkZKxcbZBZQAmkgeYr/mRP2OfbblFlxnn9GpQnOw3TMs8iwxWfFDfXWgvmzPQIsVWbwdO0kBlWQJf7g67fB5Q3dd6Fg/mtNEFjYLv+25I45S/jidTs9al8TBhlEdJBIfLZ7MsHg8H/lBRDtkmDV1LXZCJMlXb0uCS9E4JVeDF6Ear4eebpPlMTffrf1g3XlXqSkU9xB3/+gpXnpRCzjDkeN0K5Lr4mjSXgyZf+ob8YfiWwdBQMDt80B59cup3AdCbD0g7zACyyTAAA==;
Received: from 82-181-115-92.bb.dnainternet.fi ([82.181.115.92] helo=kodama)
	by fanzine.igalia.com with esmtpsa
	(Cipher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim)
	id 1iBKsX-0003Hl-Hp; Fri, 20 Sep 2019 17:31:25 +0200
Received: from localhost (kodama [local])
	by kodama (OpenSMTPD) with ESMTPA id d6dfd696;
	Fri, 20 Sep 2019 15:31:06 +0000 (UTC)
From: Adrian Perez de Castro <aperez@igalia.com>
To: buildroot@buildroot.org
Date: Fri, 20 Sep 2019 18:31:06 +0300
Message-Id: <20190920153106.2274596-4-aperez@igalia.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190920153106.2274596-1-aperez@igalia.com>
References: <20190920153106.2274596-1-aperez@igalia.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 3/3] package/webkitgtk: add option to enable
	sandboxing support
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Adrian Perez de Castro <aperez@igalia.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Add an option to enable WebKit's sandbox, which uses kernel
namespaces to isolate the processes used for Web content rendering
(WebKitWebProcess) and network/disk access (WebKitNetworkProcess).

The reason to have an option is that it needs additional dependencies
(bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
choose to deploy alternative solutions (for example: putting all
of WebKit inside its own container, using systemd-nspawn or the
like).

Patch "0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch"
is imported from upstream, as it is needed to avoid trying to run
the "bwrap" command from the target during cross-compilation.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 ...un-the-Bubblewrap-executable-when-co.patch | 87 +++++++++++++++++++
 package/webkitgtk/Config.in                   | 15 ++++
 package/webkitgtk/webkitgtk.mk                | 12 ++-
 3 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch

diff --git a/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch b/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch
new file mode 100644
index 0000000000..3381cbbfb6
--- /dev/null
+++ b/package/webkitgtk/0002-GTK-WPE-Do-not-run-the-Bubblewrap-executable-when-co.patch
@@ -0,0 +1,87 @@
+From a725f6fbe6630a980f5ac74d79fd3e18557190bc Mon Sep 17 00:00:00 2001
+From: "aperez@igalia.com"
+ <aperez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Sun, 15 Sep 2019 13:30:01 +0000
+Subject: [PATCH xserver 2/2] [GTK][WPE] Do not run the Bubblewrap executable
+ when configuring for cross-compilation
+ https://bugs.webkit.org/show_bug.cgi?id=201340
+
+Reviewed by Konstantin Tokarev.
+
+* Source/cmake/BubblewrapSandboxChecks.cmake: Do not run the
+Bubblewrap executable when cross-compiling to guess its version.
+Emit a warning instead and trust that valid run-time paths will
+be set using the BWRAP_EXECUTABLE and DBUS_PROXY_EXECUTABLE
+variables. While at it, fix the regular expression used to match
+the version string in the Bubblewrap output when not cross-compiling.
+
+Fetch from: https://bugs.webkit.org/show_bug.cgi?id=201340
+Upstream-Status: Accepted
+Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
+
+---
+ ChangeLog                                  | 14 ++++++++
+ Source/cmake/BubblewrapSandboxChecks.cmake | 41 ++++++++++++++--------
+ 2 files changed, 41 insertions(+), 14 deletions(-)
+
+diff --git a/Source/cmake/BubblewrapSandboxChecks.cmake b/Source/cmake/BubblewrapSandboxChecks.cmake
+index ac8fbbf3c8e..73cf4ffed35 100644
+--- a/Source/cmake/BubblewrapSandboxChecks.cmake
++++ b/Source/cmake/BubblewrapSandboxChecks.cmake
+@@ -3,20 +3,6 @@ if (ENABLE_BUBBLEWRAP_SANDBOX)
+     if (NOT BWRAP_EXECUTABLE)
+         message(FATAL_ERROR "bwrap executable is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+     endif ()
+-    add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
+-
+-    execute_process(
+-        COMMAND "${BWRAP_EXECUTABLE}" --version
+-        RESULT_VARIABLE BWRAP_RET
+-        OUTPUT_VARIABLE BWRAP_OUTPUT
+-    )
+-    if (BWRAP_RET)
+-        message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
+-    endif ()
+-    string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" BWRAP_VERSION "${BWRAP_OUTPUT}")
+-    if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
+-        message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
+-    endif ()
+ 
+     find_package(Libseccomp)
+     if (NOT LIBSECCOMP_FOUND)
+@@ -27,5 +13,32 @@ if (ENABLE_BUBBLEWRAP_SANDBOX)
+     if (NOT DBUS_PROXY_EXECUTABLE)
+         message(FATAL_ERROR "xdg-dbus-proxy not found and is needed for ENABLE_BUBBLEWRAP_SANDBOX")
+     endif ()
++
++    if (NOT CMAKE_CROSSCOMPILING)
++        execute_process(
++            COMMAND "${BWRAP_EXECUTABLE}" --version
++            RESULT_VARIABLE BWRAP_RET
++            OUTPUT_VARIABLE BWRAP_OUTPUT
++        )
++        if (BWRAP_RET)
++            message(FATAL_ERROR "Failed to run ${BWRAP_EXECUTABLE}")
++        endif ()
++        string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" BWRAP_VERSION "${BWRAP_OUTPUT}")
++        if (NOT "${BWRAP_VERSION}" VERSION_GREATER_EQUAL "0.3.1")
++            message(FATAL_ERROR "bwrap must be >= 0.3.1 but ${BWRAP_VERSION} found")
++        endif ()
++    elseif (NOT SILENCE_CROSS_COMPILATION_NOTICES)
++        message(NOTICE
++            "***--------------------------------------------------------***\n"
++            "***  Cannot check Bubblewrap version when cross-compiling. ***\n"
++            "***  The target system MUST have version 0.3.1 or newer.   ***\n"
++            "***  Use the BWRAP_EXECUTABLE and DBUS_PROXY_EXECUTABLE    ***\n"
++            "***  variables to set the run-time paths for the 'bwrap'   ***\n"
++            "***  and 'xdg-dbus-proxy' programs.                        ***\n"
++            "***--------------------------------------------------------***"
++        )
++    endif ()
++
++    add_definitions(-DBWRAP_EXECUTABLE="${BWRAP_EXECUTABLE}")
+     add_definitions(-DDBUS_PROXY_EXECUTABLE="${DBUS_PROXY_EXECUTABLE}")
+ endif ()
+-- 
+2.23.0
+
diff --git a/package/webkitgtk/Config.in b/package/webkitgtk/Config.in
index db67c89042..8d2f622a06 100644
--- a/package/webkitgtk/Config.in
+++ b/package/webkitgtk/Config.in
@@ -57,6 +57,21 @@ config BR2_PACKAGE_WEBKITGTK
 
 if BR2_PACKAGE_WEBKITGTK
 
+config BR2_PACKAGE_WEBKITGTK_SANDBOX
+	bool "sandboxing support"
+	default n
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
+	select BR2_PACKAGE_BUBBLEWRAP # runtime
+	select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
+	help
+	  Enable sandboxing of the processes used for network operation,
+	  disk access, and Web content rendering.
+
+comment "sandboxing support needs a toolchain w/ headers >= 3.12"
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
+
 config BR2_PACKAGE_WEBKITGTK_HTTPS
 	bool "HTTPS support"
 	depends on !BR2_STATIC_LIBS # libsoup -> glib-networking, gnutls
diff --git a/package/webkitgtk/webkitgtk.mk b/package/webkitgtk/webkitgtk.mk
index 0eef7cafcd..17701f4b14 100644
--- a/package/webkitgtk/webkitgtk.mk
+++ b/package/webkitgtk/webkitgtk.mk
@@ -17,19 +17,29 @@ WEBKITGTK_DEPENDENCIES = host-ruby host-python host-gperf \
 	libtasn1 libxml2 libxslt openjpeg sqlite webp woff2
 WEBKITGTK_CONF_OPTS = \
 	-DENABLE_API_TESTS=OFF \
-	-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
 	-DENABLE_GEOLOCATION=OFF \
 	-DENABLE_GTKDOC=OFF \
 	-DENABLE_INTROSPECTION=OFF \
 	-DENABLE_MINIBROWSER=ON \
 	-DENABLE_SPELLCHECK=ON \
 	-DPORT=GTK \
+	-DSILENCE_CROSS_COMPILATION_NOTICES=ON \
 	-DUSE_LIBNOTIFY=OFF \
 	-DUSE_LIBHYPHEN=OFF \
 	-DUSE_OPENJPEG=ON \
 	-DUSE_WOFF2=ON \
 	-DUSE_WPE_RENDERER=OFF
 
+ifeq ($(BR2_PACKAGE_WEBKITGTK_SANDBOX),y)
+WEBKITGTK_CONF_OPTS += \
+	-DENABLE_BUBBLEWRAP_SANDBOX=ON \
+	-DBWRAP_EXECUTABLE=/usr/bin/bwrap \
+	-DDBUS_PROXY_EXECUTABLE=/usr/bin/xdg-dbus-proxy
+WEBKITGTK_DEPENDENCIES += libseccomp
+else
+WEBKITGTK_CONF_OPTS += -DENABLE_BUBBLEWRAP_SANDBOX=OFF
+endif
+
 ifeq ($(BR2_PACKAGE_WEBKITGTK_MULTIMEDIA),y)
 WEBKITGTK_CONF_OPTS += \
 	-DENABLE_VIDEO=ON \