diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-11-09 16:08:48 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-11-09 16:08:48 +0000 |
| commit | 594300374dc15bd704bcb1f2a98b17faef80aa79 (patch) | |
| tree | ac1b6d8c80a94f26c82c17ee30c34a1623f9c064 /etc/profile-a-l/chromium-browser-privacy.profile | |
| parent | adding test-profiles to ci test (diff) | |
| download | firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.gz firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.zst firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.zip | |
rework chromium (#3688)
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
Diffstat (limited to 'etc/profile-a-l/chromium-browser-privacy.profile')
| -rw-r--r-- | etc/profile-a-l/chromium-browser-privacy.profile | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile new file mode 100644 index 000000000..09eaa2d12 --- /dev/null +++ b/etc/profile-a-l/chromium-browser-privacy.profile | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | # Firejail profile for chromium-browser-privacy | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include chromium-browser-privacy.local | ||
| 5 | |||
| 6 | noblacklist ${HOME}/.cache/ungoogled-chromium | ||
| 7 | noblacklist ${HOME}/.config/ungoogled-chromium | ||
| 8 | |||
| 9 | mkdir ${HOME}/.cache/ungoogled-chromium | ||
| 10 | mkdir ${HOME}/.config/ungoogled-chromium | ||
| 11 | whitelist ${HOME}/.cache/ungoogled-chromium | ||
| 12 | whitelist ${HOME}/.config/ungoogled-chromium | ||
| 13 | |||
| 14 | # private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings | ||
| 15 | |||
| 16 | # Redirect | ||
| 17 | include chromium.profile | ||