rework chromium (#3688)

* rework chromium

 + 516d0811 has removed fundamental security features.
   (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
   Though this is only necessary if running under a kernel which
disallow
   unprivileged userns clones. Arch's linux-hardened and debian kernel
are
   patched accordingly. Arch's linux and linux-lts kernels support this
   restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
   Other kernels such as mainline or fedora/redhat always support
unprivileged
   userns clone and have no sysctl parameter to disable it. Debian and
Arch
   users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
   This commit adds a chromium-common-hardened.inc which can be included
in
   chromium-common to enhance security of chromium-based programs.

 + chromium-common.profile: add private-cache

 + chromium-common.profile: add wruc and wusc, but disable it for the
   following
   profiles until tested. tests welcome.

    - [ ] bnox, dnox, enox, inox, snox
    - [ ] brave
    - [ ] flashpeak-slimjet
    - [ ] google-chrome, google-chrome-beta, google-chrome-unstable
    - [ ] iridium
    - [ ] min
    - [ ] opera, opera-beta

 + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
   /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
  vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
  missed also some features from vivaldi.profile, solve this by making
it
  redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
  also for vivaldi-snapshot?

 + create chromium-browser-privacy.profile (closes #3633)

* update 1

 + add missing 'ignore whitelist /usr/share/chromium'

 + revert 'Move drm-relaktions in vivaldi.profile behind
   BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
   as AAC too. In addition vivaldi shows a something is broken pop-up,
   we would have a lot of 'does not work with firejail' issues.

* update 2

* update 3

fixes #3709

1 files changed, 12 insertions, 1 deletions

diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 899400d25..6a9cf99b0 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -16,16 +16,25 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+# include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/chromium
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
+
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
@@ -36,8 +45,10 @@ notv
 shell none
 
 disable-mnt
+private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# private-tmp - problems with multiple browser sessions
+# problems with multiple browser sessions
+#private-tmp
 
 # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 # dbus-user none