Le Sat, Apr 16, 2022 at 06:25:11PM +0200, Landry Breuil a écrit : > Hi, > > since firefox 95 one can use a 'wasi sysroot' to sandbox some external > libraries bundled within firefox (eg Graphite, Hunspell, Ogg, Expat and > Woff2) by building them first from C/C++ to wasm then to C via wasm2c. > > All this plumbing is supposed to bring better 'sandboxing' to those > libraries, as explained in the below links: > https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/ > https://hacks.mozilla.org/2020/02/securing-firefox-with-webassembly/ > https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/ > > to achieve that, i had to wrap up 4 ports on top of llvm 13.0.0 bits: > wasi-libc, wasi-libcxx, wasi-libcxxabi & wasi-compiler-rt. I've settled > for the same version we use for devel/llvm, without any patches, and so > far only tested it on amd64. > > with those 4 ports installed, and the below diff, i have a build of > firefox 100.0b6 that runs here, no idea how to test differences in > runtime though. > > -CONFIGURE_ARGS += --without-wasm-sandboxed-libraries > +CONFIGURE_ARGS += --with-wasi-sysroot=${LOCALBASE}/share/wasi-sysroot > > feedback on the 4 ports (unpack in lang/) much welcome, i dunno how i > could improve the layout (eg build a single port once for > libcxx/libcxxabi is how other oses do)... so more eyes needed :) > > the DISTFILES hack (and move source dirs around) are ugly but all those > llvm-based ports sadly require the full llvm source tree to build, ideas > on how to improve that are welcome.
new version of those ports, this time with factorization between compiler-rt/libcxx/libcxxabi, and update wasi-libc to latest git head. feedback on the ports & oks to import welcome so that i can move forward on this. Landry
wasi-sdk2.tgz
Description: application/tar-gz
