diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-11-09 16:08:48 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-09 16:08:48 +0000 |
commit | 594300374dc15bd704bcb1f2a98b17faef80aa79 (patch) | |
tree | ac1b6d8c80a94f26c82c17ee30c34a1623f9c064 /etc/profile-a-l/chromium-common.profile | |
parent | adding test-profiles to ci test (diff) | |
download | firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.gz firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.zst firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.zip |
rework chromium (#3688)
* rework chromium
+ 516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
Though this is only necessary if running under a kernel which
disallow
unprivileged userns clones. Arch's linux-hardened and debian kernel
are
patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
Other kernels such as mainline or fedora/redhat always support
unprivileged
userns clone and have no sysctl parameter to disable it. Debian and
Arch
users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in
chromium-common to enhance security of chromium-based programs.
+ chromium-common.profile: add private-cache
+ chromium-common.profile: add wruc and wusc, but disable it for the
following
profiles until tested. tests welcome.
- [ ] bnox, dnox, enox, inox, snox
- [ ] brave
- [ ] flashpeak-slimjet
- [ ] google-chrome, google-chrome-beta, google-chrome-unstable
- [ ] iridium
- [ ] min
- [ ] opera, opera-beta
+ move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
missed also some features from vivaldi.profile, solve this by making
it
redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
also for vivaldi-snapshot?
+ create chromium-browser-privacy.profile (closes #3633)
* update 1
+ add missing 'ignore whitelist /usr/share/chromium'
+ revert 'Move drm-relaktions in vivaldi.profile behind
BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
as AAC too. In addition vivaldi shows a something is broken pop-up,
we would have a lot of 'does not work with firejail' issues.
* update 2
* update 3
fixes #3709
Diffstat (limited to 'etc/profile-a-l/chromium-common.profile')
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 899400d25..6a9cf99b0 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -16,16 +16,25 @@ include disable-common.inc | |||
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | 17 | include disable-exec.inc |
18 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
19 | # include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | 20 | include disable-programs.inc |
21 | include disable-xdg.inc | ||
20 | 22 | ||
21 | mkdir ${HOME}/.pki | 23 | mkdir ${HOME}/.pki |
22 | mkdir ${HOME}/.local/share/pki | 24 | mkdir ${HOME}/.local/share/pki |
23 | whitelist ${DOWNLOADS} | 25 | whitelist ${DOWNLOADS} |
24 | whitelist ${HOME}/.pki | 26 | whitelist ${HOME}/.pki |
25 | whitelist ${HOME}/.local/share/pki | 27 | whitelist ${HOME}/.local/share/pki |
28 | whitelist /usr/share/chromium | ||
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
30 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
28 | 33 | ||
34 | # Uncomment the next line (or add it to your chromium-common.local) | ||
35 | # if your kernel allows unprivileged userns clone. | ||
36 | #include chromium-common-hardened.inc | ||
37 | |||
29 | apparmor | 38 | apparmor |
30 | caps.keep sys_admin,sys_chroot | 39 | caps.keep sys_admin,sys_chroot |
31 | netfilter | 40 | netfilter |
@@ -36,8 +45,10 @@ notv | |||
36 | shell none | 45 | shell none |
37 | 46 | ||
38 | disable-mnt | 47 | disable-mnt |
48 | private-cache | ||
39 | ?BROWSER_DISABLE_U2F: private-dev | 49 | ?BROWSER_DISABLE_U2F: private-dev |
40 | # private-tmp - problems with multiple browser sessions | 50 | # problems with multiple browser sessions |
51 | #private-tmp | ||
41 | 52 | ||
42 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector | 53 | # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector |
43 | # dbus-user none | 54 | # dbus-user none |