On Wed, Oct 06, 2021 at 04:54:54PM -0400, Vivien Didelot wrote:
> Instead of maintaining an inappropriate hack on qtwebengine to disable
> seccomp filter sandbox, export the corresponding chromium flag in
> the QTWEBENGINE_CHROMIUM_FLAGS environment variable.
>
> Signed-off-by: Vivien Didelot <vdide...@pbsc.com>
> ---
> .../qt5/qtbase-conf/ti33x/qt_env.sh | 5 +++
> ...-disable-SECCOMP-BPF-Sandbox-at-star.patch | 32 -------------------
> .../recipes-qt/qt5/qtwebengine_git.bbappend | 4 ---
> 3 files changed, 5 insertions(+), 36 deletions(-)
> delete mode 100644
> meta-arago-distro/recipes-qt/qt5/qtwebengine/0003-qtwebengine-HACK-disable-SECCOMP-BPF-Sandbox-at-star.patch
>
> diff --git a/meta-arago-distro/recipes-qt/qt5/qtbase-conf/ti33x/qt_env.sh
> b/meta-arago-distro/recipes-qt/qt5/qtbase-conf/ti33x/qt_env.sh
> index 29fa2969..96526393 100644
> --- a/meta-arago-distro/recipes-qt/qt5/qtbase-conf/ti33x/qt_env.sh
> +++ b/meta-arago-distro/recipes-qt/qt5/qtbase-conf/ti33x/qt_env.sh
> @@ -7,3 +7,8 @@ export QT_QPA_EGLFS_KMS_CONFIG=/etc/qt5/eglfs_kms_cfg.json
> export QT_QPA_EGLFS_INTEGRATION=eglfs_kms
> export QT_QPA_EGLFS_ALWAYS_SET_MODE=1
> export QT_WAYLAND_SHELL_INTEGRATION=wl-shell
> +
> +# SECCOMP-BPF Sandbox does not work due to unexpected FUTEX_UNLOCK_PI call
> +# from the pthread implementation. Disable this feature temporarily until
> +# those issues are resolved.
> +export QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox"
Why is this only done for ti33x platform? What about other platforms?
> diff --git
> a/meta-arago-distro/recipes-qt/qt5/qtwebengine/0003-qtwebengine-HACK-disable-SECCOMP-BPF-Sandbox-at-star.patch
>
> b/meta-arago-distro/recipes-qt/qt5/qtwebengine/0003-qtwebengine-HACK-disable-SECCOMP-BPF-Sandbox-at-star.patch
> deleted file mode 100644
> index 09f1870d..00000000
> ---
> a/meta-arago-distro/recipes-qt/qt5/qtwebengine/0003-qtwebengine-HACK-disable-SECCOMP-BPF-Sandbox-at-star.patch
> +++ /dev/null
> @@ -1,32 +0,0 @@
> -From 77fc6e4391562a1f84d82b58319a73de08242797 Mon Sep 17 00:00:00 2001
> -From: Eric Ruei <e-ru...@ti.com>
> -Date: Fri, 8 Mar 2019 18:17:06 -0500
> -Subject: [PATCH 3/3] qtwebengine: HACK: disable SECCOMP-BPF Sandbox at
> startup
> -
> -SECCOMP-BPF Sandbox does not work due to unexpected FUTEX_UNLOCK_PI call
> -from the pthread implementation
> -Disable this feature temporarily until those issues are resolved.
> -
> -Upstream-Status: Inappropriate [HACK]
> -
> -Signed-off-by: Eric Ruei <e-ru...@ti.com>
> ----
> - src/core/web_engine_context.cpp | 2 ++
> - 1 file changed, 2 insertions(+)
> -
> -diff --git a/src/core/web_engine_context.cpp
> b/src/core/web_engine_context.cpp
> -index 48e5bc4..9ba3fa4 100644
> ---- a/src/core/web_engine_context.cpp
> -+++ b/src/core/web_engine_context.cpp
> -@@ -347,6 +347,8 @@ WebEngineContext::WebEngineContext()
> - parsedCommandLine->AppendSwitch(switches::kNoSandbox);
> - #elif defined(Q_OS_LINUX)
> -
> parsedCommandLine->AppendSwitch(service_manager::switches::kDisableSetuidSandbox);
> -+ // HACK: disable seccomp filter sandbox for now because it does not
> work
> -+
> parsedCommandLine->AppendSwitch(service_manager::switches::kDisableSeccompFilterSandbox);
> - #endif
> - } else {
> - parsedCommandLine->AppendSwitch(switches::kNoSandbox);
> ---
> -1.9.1
> -
> diff --git a/meta-arago-distro/recipes-qt/qt5/qtwebengine_git.bbappend
> b/meta-arago-distro/recipes-qt/qt5/qtwebengine_git.bbappend
> index c50b020f..6459bbf7 100644
> --- a/meta-arago-distro/recipes-qt/qt5/qtwebengine_git.bbappend
> +++ b/meta-arago-distro/recipes-qt/qt5/qtwebengine_git.bbappend
> @@ -1,8 +1,4 @@
> FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> PR_append = ".arago1"
>
> -SRC_URI += " \
> - file://0003-qtwebengine-HACK-disable-SECCOMP-BPF-Sandbox-at-star.patch \
> -"
> -
> DEPENDS += "bison-native"
> --
> 2.33.0
--
Regards,
Denys Dmytriyenko <de...@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964
_______________________________________________
meta-arago mailing list
meta-arago@arago-project.org
http://arago-project.org/cgi-bin/mailman/listinfo/meta-arago
