From: Renato Aguiar Subject: www/ungoogled-chromium: configurable cdm pledges To: ports@openbsd.org Cc: Robert Nagy Date: Thu, 12 Mar 2026 16:01:06 +0000 Hi, I'd like to propose changing ungoogled-chromium port to read pledge configuration for CDN sandbox from a config file instead of having it hardcoded to what openvw needs. That would make it easier for any alternative implementations that may require a different set of pledges. Here is a diff with the proposed change, default pledge remains the same: diff --git a/www/ungoogled-chromium/Makefile b/www/ungoogled-chromium/Makefile index c05aa6c00e4..498db5eafc2 100644 --- a/www/ungoogled-chromium/Makefile +++ b/www/ungoogled-chromium/Makefile @@ -16,7 +16,7 @@ COMMENT= Chromium browser sans integration with Google V= 145.0.7632.159 UGV= ${V}-1 -REVISION= 0 +REVISION= 1 DISTNAME= ungoogled-chromium-${V} @@ -372,7 +372,7 @@ do-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ungoogled-chromium .for f in pledge.main pledge.utility_audio pledge.utility_network pledge.utility_video \ unveil.gpu unveil.main unveil.utility_audio unveil.utility_network unveil.utility_video \ - unveil.cdm + unveil.cdm pledge.cdm ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/share/examples/ungoogled-chromium .endfor diff --git a/www/ungoogled-chromium/files/pledge.cdm b/www/ungoogled-chromium/files/pledge.cdm new file mode 100644 index 00000000000..32639079cb6 --- /dev/null +++ b/www/ungoogled-chromium/files/pledge.cdm @@ -0,0 +1 @@ +stdio rpath flock recvfd sendfd diff --git a/www/ungoogled-chromium/files/unveil.cdm b/www/ungoogled-chromium/files/unveil.cdm index 76d04d3e5fc..176175200f9 100644 --- a/www/ungoogled-chromium/files/unveil.cdm +++ b/www/ungoogled-chromium/files/unveil.cdm @@ -1,6 +1,7 @@ /dev/null rw /etc/openwv r +/etc/ungoogled-chromium/pledge.cdm r /usr/local/lib/openwv r # needed for IPC communication, X.Org, etc. diff --git a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc index 81e0bf7434a..132e95e08c0 100644 --- a/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc +++ b/www/ungoogled-chromium/patches/patch-sandbox_policy_openbsd_sandbox_openbsd_cc @@ -360,7 +360,7 @@ Index: sandbox/policy/openbsd/sandbox_openbsd.cc + SetPledge(NULL, "/etc/ungoogled-chromium/pledge.utility_video"); + break; + case sandbox::mojom::Sandbox::kCdm: -+ SetPledge("stdio rpath flock recvfd sendfd", NULL); ++ SetPledge(NULL, "/etc/ungoogled-chromium/pledge.cdm"); + break; + case sandbox::mojom::Sandbox::kUtility: + case sandbox::mojom::Sandbox::kService: diff --git a/www/ungoogled-chromium/pkg/PLIST b/www/ungoogled-chromium/pkg/PLIST index 769b4df33b2..917fe1ff657 100644 --- a/www/ungoogled-chromium/pkg/PLIST +++ b/www/ungoogled-chromium/pkg/PLIST @@ -5,6 +5,8 @@ share/applications/ungoogled-chromium.desktop share/doc/pkg-readmes/${PKGSTEM} share/examples/ungoogled-chromium/ @sample ${SYSCONFDIR}/ungoogled-chromium/ +share/examples/ungoogled-chromium/pledge.cdm +@sample ${SYSCONFDIR}/ungoogled-chromium/pledge.cdm share/examples/ungoogled-chromium/pledge.main @sample ${SYSCONFDIR}/ungoogled-chromium/pledge.main share/examples/ungoogled-chromium/pledge.utility_audio