On 2025/01/06 14:10, Kirill A. Korinsky wrote:
> On Sat, 04 Jan 2025 02:02:26 +0100,
> Kirill A. Korinsky <kir...@korins.ky> wrote:
> >
> > On Fri, 03 Jan 2025 14:06:23 +0100,
> > Ian Darwin <i...@darwinsys.com> wrote:
> > >
> > > On Fri, Jan 03, 2025 at 01:59:38PM +0100, Kirill A. Korinsky wrote:
> > > > On Fri, 03 Jan 2025 10:35:24 +0100,
> > > > Stuart Henderson <s...@spacehopper.org> wrote:
> > > > >
> > > > > I don't think it's _too_ unreasonable for the code to check higher
> > > > > than
> > > > > the default unveil to allow unusual cases without a recompile,
> > > > > although
> > > > > this is probably going to trigger warnings in /etc/daily if accounting
> > > > > is enabled (the "lastcomm | grep") so perhaps it does make sense to
> > > > > use
> > > > > a smaller number (8 seems alright to me) and align the loop and
> > > > > unveil.
> > >
> > > 8 would be enough for my use case and seems like a reasonable upper bound.
> > > It's also twice what many cheap offshore off-the-shelf "security"
> > > solutions offer.
> >
> > I see only one issue here: to increase the value inside the loop the user
> > need to recompile chrome, and it might be quite long.
> >
> > From another hand /dev/video0.../dev/video7 looks as reasonable limit.
> >
> > So, here an updated version of diff.
> >
> Oops, it wasn't sent to ports@.
>
> Here the diff.
>
> Ok?
ok with me
> Index: www/chromium/Makefile
> ===================================================================
> RCS file: /home/cvs/ports/www/chromium/Makefile,v
> diff -u -p -u -p -r1.820 Makefile
> --- www/chromium/Makefile 21 Dec 2024 11:39:11 -0000 1.820
> +++ www/chromium/Makefile 31 Dec 2024 19:54:02 -0000
> @@ -11,6 +11,7 @@ DPB_PROPERTIES+= lonesome
> COMMENT= Chromium browser
>
> V= 131.0.6778.204
> +REVISION= 0
>
> DISTNAME= chromium-${V}
>
> Index: www/chromium/files/unveil.main
> ===================================================================
> RCS file: /home/cvs/ports/www/chromium/files/unveil.main,v
> diff -u -p -u -p -r1.16 unveil.main
> --- www/chromium/files/unveil.main 15 Nov 2024 14:03:20 -0000 1.16
> +++ www/chromium/files/unveil.main 4 Jan 2025 00:50:52 -0000
> @@ -1,5 +1,12 @@
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
>
> # needed for FIDO authentication
> /dev/fido rw
> Index: www/chromium/files/unveil.utility_video
> ===================================================================
> RCS file: /home/cvs/ports/www/chromium/files/unveil.utility_video,v
> diff -u -p -u -p -r1.2 unveil.utility_video
> --- www/chromium/files/unveil.utility_video 11 Mar 2022 20:09:41 -0000
> 1.2
> +++ www/chromium/files/unveil.utility_video 4 Jan 2025 00:50:47 -0000
> @@ -5,4 +5,11 @@
> /tmp rwc
>
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
> Index:
> www/chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ===================================================================
> RCS file:
> /home/cvs/ports/www/chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc,v
> diff -u -p -u -p -r1.3
> patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ---
> www/chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 21 Apr 2024 10:14:33 -0000 1.3
> +++
> www/chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 4 Jan 2025 00:58:02 -0000
> @@ -9,7 +9,7 @@ Index: media/capture/video/linux/video_c
> // USB VID and PID are both 4 bytes long.
> const size_t kVidPidSize = 4;
> const size_t kMaxInterfaceNameSize = 256;
> -@@ -70,11 +71,15 @@ std::string ExtractFileNameFromDeviceId(const std::str
> +@@ -70,11 +71,24 @@ std::string ExtractFileNameFromDeviceId(const std::str
> DCHECK(base::StartsWith(device_id, kDevDir,
> base::CompareCase::SENSITIVE));
> return device_id.substr(strlen(kDevDir), device_id.length());
> }
> @@ -20,12 +20,21 @@ Index: media/capture/video/linux/video_c
> public:
> void GetDeviceIds(std::vector<std::string>* target_container) override {
> +#if BUILDFLAG(IS_OPENBSD)
> -+ target_container->emplace_back("/dev/video");
> ++ char device[12];
> ++ int fd;
> ++ /* unveil(2) limits access to /dev/, try /dev/video[0-7] */
> ++ for (int n = 0; n < 8; n++) {
> ++ snprintf(device, sizeof(device), "/dev/video%d", n);
> ++ if ((fd = open(device, O_RDONLY)) != -1) {
> ++ close(fd);
> ++ target_container->emplace_back(device);
> ++ }
> ++ }
> +#else
> const base::FilePath path("/dev/");
> base::FileEnumerator enumerator(path, false,
> base::FileEnumerator::FILES,
> "video*");
> -@@ -82,9 +87,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -82,9 +96,13 @@ class DevVideoFilePathsDeviceProvider
> const base::FileEnumerator::FileInfo info = enumerator.GetInfo();
> target_container->emplace_back(path.value() + info.GetName().value());
> }
> @@ -39,7 +48,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> std::string usb_id;
> const std::string vid_path =
> -@@ -101,9 +110,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -101,9 +119,13 @@ class DevVideoFilePathsDeviceProvider
> }
>
> return usb_id;
> @@ -53,7 +62,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> const std::string interface_path =
> base::StringPrintf(kInterfacePathTemplate, file_name.c_str());
> -@@ -114,6 +127,7 @@ class DevVideoFilePathsDeviceProvider
> +@@ -114,6 +136,7 @@ class DevVideoFilePathsDeviceProvider
> return std::string();
> }
> return display_name;
> @@ -61,7 +70,7 @@ Index: media/capture/video/linux/video_c
> }
> };
>
> -@@ -219,7 +233,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> +@@ -219,7 +242,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> std::move(callback).Run(std::move(devices_info));
> }
>
> Index: www/iridium/Makefile
> ===================================================================
> RCS file: /home/cvs/ports/www/iridium/Makefile,v
> diff -u -p -u -p -r1.214 Makefile
> --- www/iridium/Makefile 21 Dec 2024 11:39:11 -0000 1.214
> +++ www/iridium/Makefile 31 Dec 2024 19:53:57 -0000
> @@ -12,6 +12,7 @@ DPB_PROPERTIES+= lonesome
> COMMENT= Iridium browser
>
> V= 2024.11.131.1
> +REVISION= 0
>
> DISTNAME= iridium-browser-${V}
> PKGNAME= iridium-${V}
> Index: www/iridium/files/unveil.main
> ===================================================================
> RCS file: /home/cvs/ports/www/iridium/files/unveil.main,v
> diff -u -p -u -p -r1.14 unveil.main
> --- www/iridium/files/unveil.main 27 Aug 2023 20:52:48 -0000 1.14
> +++ www/iridium/files/unveil.main 4 Jan 2025 00:50:36 -0000
> @@ -1,5 +1,12 @@
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
>
> # needed for FIDO authentication
> /dev/fido rw
> Index: www/iridium/files/unveil.utility_video
> ===================================================================
> RCS file: /home/cvs/ports/www/iridium/files/unveil.utility_video,v
> diff -u -p -u -p -r1.2 unveil.utility_video
> --- www/iridium/files/unveil.utility_video 11 Mar 2022 20:09:56 -0000
> 1.2
> +++ www/iridium/files/unveil.utility_video 4 Jan 2025 00:50:28 -0000
> @@ -5,4 +5,11 @@
> /tmp rwc
>
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
> Index:
> www/iridium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ===================================================================
> RCS file:
> /home/cvs/ports/www/iridium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc,v
> diff -u -p -u -p -r1.3
> patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ---
> www/iridium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 22 Jun 2024 06:03:33 -0000 1.3
> +++
> www/iridium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 4 Jan 2025 00:58:06 -0000
> @@ -9,7 +9,7 @@ Index: media/capture/video/linux/video_c
> // USB VID and PID are both 4 bytes long.
> const size_t kVidPidSize = 4;
> const size_t kMaxInterfaceNameSize = 256;
> -@@ -70,11 +71,15 @@ std::string ExtractFileNameFromDeviceId(const std::str
> +@@ -70,11 +71,24 @@ std::string ExtractFileNameFromDeviceId(const std::str
> DCHECK(base::StartsWith(device_id, kDevDir,
> base::CompareCase::SENSITIVE));
> return device_id.substr(strlen(kDevDir), device_id.length());
> }
> @@ -20,12 +20,21 @@ Index: media/capture/video/linux/video_c
> public:
> void GetDeviceIds(std::vector<std::string>* target_container) override {
> +#if BUILDFLAG(IS_OPENBSD)
> -+ target_container->emplace_back("/dev/video");
> ++ char device[12];
> ++ int fd;
> ++ /* unveil(2) limits access to /dev/, try /dev/video[0-7] */
> ++ for (int n = 0; n < 8; n++) {
> ++ snprintf(device, sizeof(device), "/dev/video%d", n);
> ++ if ((fd = open(device, O_RDONLY)) != -1) {
> ++ close(fd);
> ++ target_container->emplace_back(device);
> ++ }
> ++ }
> +#else
> const base::FilePath path("/dev/");
> base::FileEnumerator enumerator(path, false,
> base::FileEnumerator::FILES,
> "video*");
> -@@ -82,9 +87,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -82,9 +96,13 @@ class DevVideoFilePathsDeviceProvider
> const base::FileEnumerator::FileInfo info = enumerator.GetInfo();
> target_container->emplace_back(path.value() + info.GetName().value());
> }
> @@ -39,7 +48,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> std::string usb_id;
> const std::string vid_path =
> -@@ -101,9 +110,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -101,9 +119,13 @@ class DevVideoFilePathsDeviceProvider
> }
>
> return usb_id;
> @@ -53,7 +62,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> const std::string interface_path =
> base::StringPrintf(kInterfacePathTemplate, file_name.c_str());
> -@@ -114,6 +127,7 @@ class DevVideoFilePathsDeviceProvider
> +@@ -114,6 +136,7 @@ class DevVideoFilePathsDeviceProvider
> return std::string();
> }
> return display_name;
> @@ -61,7 +70,7 @@ Index: media/capture/video/linux/video_c
> }
> };
>
> -@@ -219,7 +233,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> +@@ -219,7 +242,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> std::move(callback).Run(std::move(devices_info));
> }
>
> Index: www/ungoogled-chromium/Makefile
> ===================================================================
> RCS file: /home/cvs/ports/www/ungoogled-chromium/Makefile,v
> diff -u -p -u -p -r1.148 Makefile
> --- www/ungoogled-chromium/Makefile 22 Dec 2024 11:05:44 -0000 1.148
> +++ www/ungoogled-chromium/Makefile 29 Dec 2024 22:58:39 -0000
> @@ -13,6 +13,7 @@ COMMENT= Chromium browser sans integrat
>
> V= 131.0.6778.204
> UGV= ${V}-1
> +REVISION= 0
>
> DISTNAME= ungoogled-chromium-${V}
>
> Index: www/ungoogled-chromium/files/unveil.main
> ===================================================================
> RCS file: /home/cvs/ports/www/ungoogled-chromium/files/unveil.main,v
> diff -u -p -u -p -r1.5 unveil.main
> --- www/ungoogled-chromium/files/unveil.main 16 Nov 2024 12:12:27 -0000
> 1.5
> +++ www/ungoogled-chromium/files/unveil.main 4 Jan 2025 00:48:45 -0000
> @@ -1,5 +1,12 @@
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
>
> # needed for FIDO authentication
> /dev/fido rw
> Index: www/ungoogled-chromium/files/unveil.utility_video
> ===================================================================
> RCS file: /home/cvs/ports/www/ungoogled-chromium/files/unveil.utility_video,v
> diff -u -p -u -p -r1.1.1.1 unveil.utility_video
> --- www/ungoogled-chromium/files/unveil.utility_video 4 Oct 2022 12:55:55
> -0000 1.1.1.1
> +++ www/ungoogled-chromium/files/unveil.utility_video 4 Jan 2025 00:48:50
> -0000
> @@ -5,4 +5,11 @@
> /tmp rwc
>
> # needed for video(4)
> -/dev/video rw
> +/dev/video0 rw
> +/dev/video1 rw
> +/dev/video2 rw
> +/dev/video3 rw
> +/dev/video4 rw
> +/dev/video5 rw
> +/dev/video6 rw
> +/dev/video7 rw
> Index:
> www/ungoogled-chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ===================================================================
> RCS file:
> /home/cvs/ports/www/ungoogled-chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc,v
> diff -u -p -u -p -r1.3
> patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> ---
> www/ungoogled-chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 23 Apr 2024 07:27:06 -0000 1.3
> +++
> www/ungoogled-chromium/patches/patch-media_capture_video_linux_video_capture_device_factory_v4l2_cc
> 4 Jan 2025 00:54:06 -0000
> @@ -9,7 +9,7 @@ Index: media/capture/video/linux/video_c
> // USB VID and PID are both 4 bytes long.
> const size_t kVidPidSize = 4;
> const size_t kMaxInterfaceNameSize = 256;
> -@@ -70,11 +71,15 @@ std::string ExtractFileNameFromDeviceId(const std::str
> +@@ -70,11 +71,24 @@ std::string ExtractFileNameFromDeviceId(const std::str
> DCHECK(base::StartsWith(device_id, kDevDir,
> base::CompareCase::SENSITIVE));
> return device_id.substr(strlen(kDevDir), device_id.length());
> }
> @@ -20,12 +20,21 @@ Index: media/capture/video/linux/video_c
> public:
> void GetDeviceIds(std::vector<std::string>* target_container) override {
> +#if BUILDFLAG(IS_OPENBSD)
> -+ target_container->emplace_back("/dev/video");
> ++ char device[12];
> ++ int fd;
> ++ /* unveil(2) limits access to /dev/, try /dev/video[0-7] */
> ++ for (int n = 0; n < 8; n++) {
> ++ snprintf(device, sizeof(device), "/dev/video%d", n);
> ++ if ((fd = open(device, O_RDONLY)) != -1) {
> ++ close(fd);
> ++ target_container->emplace_back(device);
> ++ }
> ++ }
> +#else
> const base::FilePath path("/dev/");
> base::FileEnumerator enumerator(path, false,
> base::FileEnumerator::FILES,
> "video*");
> -@@ -82,9 +87,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -82,9 +96,13 @@ class DevVideoFilePathsDeviceProvider
> const base::FileEnumerator::FileInfo info = enumerator.GetInfo();
> target_container->emplace_back(path.value() + info.GetName().value());
> }
> @@ -39,7 +48,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> std::string usb_id;
> const std::string vid_path =
> -@@ -101,9 +110,13 @@ class DevVideoFilePathsDeviceProvider
> +@@ -101,9 +119,13 @@ class DevVideoFilePathsDeviceProvider
> }
>
> return usb_id;
> @@ -53,7 +62,7 @@ Index: media/capture/video/linux/video_c
> const std::string file_name = ExtractFileNameFromDeviceId(device_id);
> const std::string interface_path =
> base::StringPrintf(kInterfacePathTemplate, file_name.c_str());
> -@@ -114,6 +127,7 @@ class DevVideoFilePathsDeviceProvider
> +@@ -114,6 +136,7 @@ class DevVideoFilePathsDeviceProvider
> return std::string();
> }
> return display_name;
> @@ -61,7 +70,7 @@ Index: media/capture/video/linux/video_c
> }
> };
>
> -@@ -219,7 +233,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> +@@ -219,7 +242,7 @@ void VideoCaptureDeviceFactoryV4L2::GetDevicesInfo(
> std::move(callback).Run(std::move(devices_info));
> }
>
>
> --
> wbr, Kirill
