Hi,
I'd like to propose changing ungoogled-chromium port to read pledge
configuration for CDN sandbox from a config file instead of having it
hardcoded to what openvw needs.
That would make it easier for any alternative implementations that may
require a different set of pledges.
Here is a diff with the proposed change, default pledge remains the
same:
diff --git a/www/ungoogled-chromium/Makefile b/www/ungoogled-chromium/Makefile
index c05aa6c00e4..498db5eafc2 100644
--- a/www/ungoogled-chromium/Makefile
+++ b/www/ungoogled-chromium/Makefile
@@ -16,7 +16,7 @@ COMMENT= Chromium browser sans integration with Google
V= 145.0.7632.159
UGV= ${V}-1
-REVISION= 0
+REVISION= 1
DISTNAME= ungoogled-chromium-${V}
@@ -372,7 +372,7 @@ do-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ungoogled-chromium
.for f in pledge.main pledge.utility_audio pledge.utility_network pledge.utility_video \
unveil.gpu unveil.main unveil.utility_audio unveil.utility_network unveil.utility_video \
- unveil.cdm
+ unveil.cdm pledge.cdm
${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/share/examples/ungoogled-chromium
.endfor
diff --git a/www/ungoogled-chromium/files/pledge.cdm b/www/ungoogled-chromium/files/pledge.cdm
new file mode 100644
index 00000000000..32639079cb6
--- /dev/null
+++ b/www/ungoogled-chromium/files/pledge.cdm
@@ -0,0 +1 @@
+stdio rpath flock recvfd sendfd
diff --git a/www/ungoogled-chromium/files/unveil.cdm b/www/ungoogled-chromium/files/unveil.cdm
index 76d04d3e5fc..176175200f9 100644
--- a/www/ungoogled-chromium/files/unveil.cdm
+++ b/www/ungoogled-chromium/files/unveil.cdm
@@ -1,6 +1,7 @@
/dev/null rw
/etc/openwv r
+/etc/ungoogled-chromium/pledge.cdm r
/usr/local/lib/openwv r
# needed for IPC communication, X.Org, etc.
diff --git a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
index 81e0bf7434a..132e95e08c0 100644
--- a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
+++ b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
@@ -360,7 +360,7 @@ Index: sandbox/policy/openbsd/sandbox_openbsd.cc
+ SetPledge(NULL, "/etc/ungoogled-chromium/pledge.utility_video");
+ break;
+ case sandbox::mojom::Sandbox::kCdm:
-+ SetPledge("stdio rpath flock recvfd sendfd", NULL);
++ SetPledge(NULL, "/etc/ungoogled-chromium/pledge.cdm");
+ break;
+ case sandbox::mojom::Sandbox::kUtility:
+ case sandbox::mojom::Sandbox::kService:
diff --git a/www/ungoogled-chromium/pkg/PLIST b/www/ungoogled-chromium/pkg/PLIST
index 769b4df33b2..917fe1ff657 100644
--- a/www/ungoogled-chromium/pkg/PLIST
+++ b/www/ungoogled-chromium/pkg/PLIST
@@ -5,6 +5,8 @@ share/applications/ungoogled-chromium.desktop
share/doc/pkg-readmes/${PKGSTEM}
share/examples/ungoogled-chromium/
@sample ${SYSCONFDIR}/ungoogled-chromium/
+share/examples/ungoogled-chromium/pledge.cdm
+@sample ${SYSCONFDIR}/ungoogled-chromium/pledge.cdm
share/examples/ungoogled-chromium/pledge.main
@sample ${SYSCONFDIR}/ungoogled-chromium/pledge.main
share/examples/ungoogled-chromium/pledge.utility_audio
No comments:
Post a Comment