Changeset 92e5300 for x


Ignore:
Timestamp:
08/09/2023 03:09:07 AM (14 months ago)
Author:
Douglas R. Reno <renodr@…>
Branches:
12.0, 12.1, 12.2, gimp3, ken/TL2024, ken/tuningfonts, lazarus, plabs/newcss, python3.11, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/for-12.3, xry111/llvm18, xry111/spidermonkey128
Children:
ea7abff3
Parents:
fb3323ad
Message:

Enable the Bubblewrap sandbox in WebKitGTK+.

This should help minimize the impact of some security vulnerabilities.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • x/lib/webkitgtk.xml

    rfb3323ad r92e5300  
    108108    <bridgehead renderas="sect4">Recommended</bridgehead>
    109109    <para role="recommended">
     110      <xref linkend="bubblewrap"/>,
    110111      <xref linkend="enchant"/>,
    111112      <xref linkend="geoclue2"/>,
    112113      <xref linkend="gobject-introspection"/>,
    113       <xref linkend="hicolor-icon-theme"/>, and
    114       <xref linkend="libavif"/>
     114      <xref linkend="hicolor-icon-theme"/>,
     115      <xref linkend="libavif"/>, and
     116      <xref linkend="xdg-dbus-proxy"/>
    115117    </para>
    116118
    117119    <bridgehead renderas="sect4">Optional</bridgehead>
    118120    <para role="optional">
    119       <xref linkend="bubblewrap"/>,
     121      <!--<xref linkend="bubblewrap"/>,-->
    120122      <xref linkend="gi-docgen"/>,
    121123      <xref linkend="harfbuzz"/>,
     
    125127      <ulink url="https://sourceforge.net/projects/hunspell/files/Hyphen/">Hyphen</ulink>,
    126128      <!--<ulink url="https://github.com/AOMediaCodec/libavif">libavif</ulink>,-->
    127       <ulink url="https://github.com/libjxl/libjxl">libjxl</ulink>,
    128       <ulink url="https://gnome.pages.gitlab.gnome.org/libmanette/">libmanette</ulink>, and
    129       <ulink url="https://github.com/flatpak/xdg-dbus-proxy">xdg-dbus-proxy</ulink>
     129      <ulink url="https://github.com/libjxl/libjxl">libjxl</ulink>, and
     130      <ulink url="https://gnome.pages.gitlab.gnome.org/libmanette/">libmanette</ulink>
     131      <!--<ulink url="https://github.com/flatpak/xdg-dbus-proxy">xdg-dbus-proxy</ulink>-->
    130132    </para>
    131133
     
    189191      -DUSE_WPE_RENDERER=ON       \
    190192      -DUSE_JPEGXL=OFF            \
    191       -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
     193      -DENABLE_BUBBLEWRAP_SANDBOX=ON \
    192194      -Wno-dev -G Ninja ..        &amp;&amp;
    193195ninja</userinput></screen>
     
    210212      -DUSE_WPE_RENDERER=ON       \
    211213      -DENABLE_JOURNALD_LOG=OFF   \
    212       -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
     214      -DENABLE_BUBBLEWRAP_SANDBOX=ON \
    213215      -Wno-dev -G Ninja ..        &amp;&amp;
    214216ninja</userinput></screen>
     
    220222      there is a problem with the build.
    221223    </para>
    222 
    223 <!-- Since we're using Ninja now instead of autotools, this isn't valid anymore
    224     <note><para>
    225       When installing, the Makefile does some additional compiling and linking.
    226       If you do not have Xorg in /usr, the LIBRARY_PATH and PKG_CONFIG_PATH
    227       variables need to be defined for the root user.  If using sudo to assume
    228       root, use the -E option to pass your current environment variables for the
    229       install process.
    230     </para></note>
    231 -->
    232224
    233225    <para>
     
    273265      -DUSE_JPEGXL=OFF            \
    274266      -DUSE_WPE_RENDERER=ON       \
    275       -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
     267      -DENABLE_BUBBLEWRAP_SANDBOX=ON \
    276268      -Wno-dev -G Ninja ..        &amp;&amp;
    277269ninja</userinput></screen>
     
    293285      -DUSE_WPE_RENDERER=ON       \
    294286      -DENABLE_JOURNALD_LOG=OFF   \
    295       -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
     287      -DENABLE_BUBBLEWRAP_SANDBOX=ON \
    296288      -Wno-dev -G Ninja ..        &amp;&amp;
    297289ninja</userinput></screen>
     
    353345
    354346    <para>
    355       <parameter>-DENABLE_BUBBLEWRAP_SANDBOX=OFF</parameter>: Remove this
    356       switch if the optional packages <xref linkend="bubblewrap"/> and
    357       <ulink url="https://github.com/flatpak/xdg-dbus-proxy">xdg-dbus-proxy</ulink>
    358       are installed.
     347      <parameter>-DENABLE_BUBBLEWRAP_SANDBOX=ON</parameter>: This switch
     348      enables the Bubblewrap sandbox, which helps mitigate the impact of most
     349      security vulnerabilities in this package. Change this switch to OFF if
     350      you do not want to install <xref linkend="bubblewrap" role="nodep"/> and
     351      <xref linkend="xdg-dbus-proxy" role="nodep"/>, but note that this may
     352      put you at risk.
     353      <!-- Note: This works well on both i686 and x86_64. -renodr -->
    359354    </para>
    360355
     
    386381      support for fonts.
    387382    </para>
    388 
    389     <!-- Uncomment once GTK4 support works, or when it doesn't require
    390          a development version of libsoup.
    391     <para>
    392       <option>-DUSE_GTK4=ON</option>: Use this switch if <xref linkend="gtk4"/>
    393       is installed and you wish to build GTK4 support.
    394     </para>
    395     -->
    396383
    397384  </sect2>
Note: See TracChangeset for help on using the changeset viewer.