jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-08-02 07:57:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

package/wpewebkit: add option to enable sandboxing support

Browse Source 
Add an option to enable WebKit's sandbox, which uses kernel
namespaces to isolate the processes used for Web content rendering
(WebKitWebProcess) and network/disk access (WebKitNetworkProcess).

The reason to have an option is that it needs additional dependencies
(bubblewrap, xdg-dbus-proxy, libseccomp), and that some users may
choose to deploy alternative solution (for example: putting all
of WebKit inside its own container, using systemd-nspawn or the
like).

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Peter: select libseccomp]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Adrian Perez de Castro 2019-12-14 16:22:16 +02:00 committed by Peter Korsgaard
parent c061ee3a0a
commit 2a19afecb4
2 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
package/wpewebkit/Config.in
View File

@ -63,6 +63,21 @@ config BR2_PACKAGE_WPEWEBKIT
if BR2_PACKAGE_WPEWEBKIT if BR2_PACKAGE_WPEWEBKIT
config BR2_PACKAGE_WPEWEBKIT_SANDBOX
bool "sandboxing support"
depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS # libseccomp
depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12 # libseccomp
select BR2_PACKAGE_BUBBLEWRAP # runtime
select BR2_PACKAGE_XDG_DBUS_PROXY # runtime
select BR2_PACKAGE_LIBSECCOMP
help
Enable sandboxing of the processes used for network operation,
disk asccess, and Web content rendering.
comment "sandboxing supports needs a toolchain w/ headers >= 3.12"
depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_12
config BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA config BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA
bool "multimedia support" bool "multimedia support"
select BR2_PACKAGE_GSTREAMER1 select BR2_PACKAGE_GSTREAMER1

14
package/wpewebkit/wpewebkit.mk
View File

@ -20,8 +20,18 @@ WPEWEBKIT_CONF_OPTS = \
-DPORT=WPE \ -DPORT=WPE \
-DENABLE_ACCESSIBILITY=OFF \ -DENABLE_ACCESSIBILITY=OFF \
-DENABLE_API_TESTS=OFF \ -DENABLE_API_TESTS=OFF \
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \ -DENABLE_MINIBROWSER=OFF \
-DENABLE_MINIBROWSER=OFF -DSILENCE_CROSS_COMPILATION_NOTICES=ON
ifeq ($(BR2_PACKAGE_WPEWEBKIT_SANDBOX),y)
WPEWEBKIT_CONF_OPTS += \
-DENABLE_BUBBLEWRAP_SANDBOX=ON \
-DBWRAP_EXECUTABLE=/usr/bin/bwrap \
-DDBUS_PROXY_EXECUTABLE=/usr/bin/xdg-dbus-proxy
WPEWEBKIT_DEPENDENCIES += libseccomp
else
WPEWEBKIT_CONF_OPTS += -DENABLE_BUBBLEWRAP_SANDBOX=OFF
endif
ifeq ($(BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA),y) ifeq ($(BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA),y)
WPEWEBKIT_CONF_OPTS += \ WPEWEBKIT_CONF_OPTS += \