aboutsummaryrefslogtreecommitdiffstats
path: root/etc/profile-a-l/google-chrome.profile
diff options
context:
space:
mode:
authorLibravatar rusty-snake <41237666+rusty-snake@users.noreply.github.com>2020-11-09 16:08:48 +0000
committerLibravatar GitHub <noreply@github.com>2020-11-09 16:08:48 +0000
commit594300374dc15bd704bcb1f2a98b17faef80aa79 (patch)
treeac1b6d8c80a94f26c82c17ee30c34a1623f9c064 /etc/profile-a-l/google-chrome.profile
parentadding test-profiles to ci test (diff)
downloadfirejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.gz
firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.tar.zst
firejail-594300374dc15bd704bcb1f2a98b17faef80aa79.zip
rework chromium (#3688)
* rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709
Diffstat (limited to 'etc/profile-a-l/google-chrome.profile')
-rw-r--r--etc/profile-a-l/google-chrome.profile5
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index 66f76caa0..ed2595f72 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -5,6 +5,11 @@ include google-chrome.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
9ignore whitelist /usr/share/chromium
10ignore include whitelist-runuser-common.inc
11ignore include whitelist-usr-share-common.inc
12
8noblacklist ${HOME}/.cache/google-chrome 13noblacklist ${HOME}/.cache/google-chrome
9noblacklist ${HOME}/.config/google-chrome 14noblacklist ${HOME}/.config/google-chrome
10 15