Index | Thread | Search

From:
Renato Aguiar <renato@renatoaguiar.net>
Subject:
www/ungoogled-chromium: configurable cdm pledges
To:
ports@openbsd.org
Cc:
Robert Nagy <robert@openbsd.org>
Date:
Thu, 12 Mar 2026 16:01:06 +0000

Download raw body.

Thread 
Hi,

I'd like to propose changing ungoogled-chromium port to read pledge
configuration for CDN sandbox from a config file instead of having it
hardcoded to what openvw needs.

That would make it easier for any alternative implementations that may
require a different set of pledges.

Here is a diff with the proposed change, default pledge remains the
same:

diff --git a/www/ungoogled-chromium/Makefile b/www/ungoogled-chromium/Makefile
index c05aa6c00e4..498db5eafc2 100644
--- a/www/ungoogled-chromium/Makefile
+++ b/www/ungoogled-chromium/Makefile
@@ -16,7 +16,7 @@ COMMENT=		Chromium browser sans integration with Google
 V=			145.0.7632.159
 UGV=			${V}-1
 
-REVISION=		0
+REVISION=		1
 
 DISTNAME=		ungoogled-chromium-${V}
 
@@ -372,7 +372,7 @@ do-install:
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ungoogled-chromium
 .for f in pledge.main pledge.utility_audio pledge.utility_network pledge.utility_video \
     unveil.gpu unveil.main unveil.utility_audio unveil.utility_network unveil.utility_video \
-    unveil.cdm
+    unveil.cdm pledge.cdm
 	${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/share/examples/ungoogled-chromium
 .endfor
 
diff --git a/www/ungoogled-chromium/files/pledge.cdm b/www/ungoogled-chromium/files/pledge.cdm
new file mode 100644
index 00000000000..32639079cb6
--- /dev/null
+++ b/www/ungoogled-chromium/files/pledge.cdm
@@ -0,0 +1 @@
+stdio rpath flock recvfd sendfd
diff --git a/www/ungoogled-chromium/files/unveil.cdm b/www/ungoogled-chromium/files/unveil.cdm
index 76d04d3e5fc..176175200f9 100644
--- a/www/ungoogled-chromium/files/unveil.cdm
+++ b/www/ungoogled-chromium/files/unveil.cdm
@@ -1,6 +1,7 @@
 /dev/null rw
 
 /etc/openwv r
+/etc/ungoogled-chromium/pledge.cdm r
 /usr/local/lib/openwv r
 
 # needed for IPC communication, X.Org, etc.
diff --git a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
index 81e0bf7434a..132e95e08c0 100644
--- a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
+++ b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc
@@ -360,7 +360,7 @@ Index: sandbox/policy/openbsd/sandbox_openbsd.cc
 +      SetPledge(NULL, "/etc/ungoogled-chromium/pledge.utility_video");
 +      break;
 +    case sandbox::mojom::Sandbox::kCdm:
-+      SetPledge("stdio rpath flock recvfd sendfd", NULL);
++      SetPledge(NULL, "/etc/ungoogled-chromium/pledge.cdm");
 +      break;
 +    case sandbox::mojom::Sandbox::kUtility:
 +    case sandbox::mojom::Sandbox::kService:
diff --git a/www/ungoogled-chromium/pkg/PLIST b/www/ungoogled-chromium/pkg/PLIST
index 769b4df33b2..917fe1ff657 100644
--- a/www/ungoogled-chromium/pkg/PLIST
+++ b/www/ungoogled-chromium/pkg/PLIST
@@ -5,6 +5,8 @@ share/applications/ungoogled-chromium.desktop
 share/doc/pkg-readmes/${PKGSTEM}
 share/examples/ungoogled-chromium/
 @sample ${SYSCONFDIR}/ungoogled-chromium/
+share/examples/ungoogled-chromium/pledge.cdm
+@sample ${SYSCONFDIR}/ungoogled-chromium/pledge.cdm
 share/examples/ungoogled-chromium/pledge.main
 @sample ${SYSCONFDIR}/ungoogled-chromium/pledge.main
 share/examples/ungoogled-chromium/pledge.utility_audio