rework chromium (#3688)

* rework chromium

 + 516d0811 has removed fundamental security features.
   (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
   Though this is only necessary if running under a kernel which
disallow
   unprivileged userns clones. Arch's linux-hardened and debian kernel
are
   patched accordingly. Arch's linux and linux-lts kernels support this
   restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
   Other kernels such as mainline or fedora/redhat always support
unprivileged
   userns clone and have no sysctl parameter to disable it. Debian and
Arch
   users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
   This commit adds a chromium-common-hardened.inc which can be included
in
   chromium-common to enhance security of chromium-based programs.

 + chromium-common.profile: add private-cache

 + chromium-common.profile: add wruc and wusc, but disable it for the
   following
   profiles until tested. tests welcome.

    - [ ] bnox, dnox, enox, inox, snox
    - [ ] brave
    - [ ] flashpeak-slimjet
    - [ ] google-chrome, google-chrome-beta, google-chrome-unstable
    - [ ] iridium
    - [ ] min
    - [ ] opera, opera-beta

 + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
   /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
  vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
  missed also some features from vivaldi.profile, solve this by making
it
  redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
  also for vivaldi-snapshot?

 + create chromium-browser-privacy.profile (closes #3633)

* update 1

 + add missing 'ignore whitelist /usr/share/chromium'

 + revert 'Move drm-relaktions in vivaldi.profile behind
   BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
   as AAC too. In addition vivaldi shows a something is broken pop-up,
   we would have a lot of 'does not work with firejail' issues.

* update 2

* update 3

fixes #3709

9 files changed, 38 insertions, 13 deletions

diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..5dac50cd8 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,6 +6,11 @@ include min.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.config/Min
 
 mkdir ${HOME}/.config/Min
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 8658d30c6..551f1aba4 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -5,6 +5,11 @@ include opera-beta.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
 
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index b342b3961..2c7c5fc35 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -6,6 +6,11 @@ include opera.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 3b3fd1ae1..83493652c 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -5,6 +5,11 @@ include snox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/snox
 noblacklist ${HOME}/.config/snox
 
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
index 5de5682a3..0d80167f3 100644
--- a/etc/profile-m-z/vivaldi-beta.profile
+++ b/etc/profile-m-z/vivaldi-beta.profile
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-beta
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-beta.local
 
 # Redirect
 include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
index ea4a4009f..543f206af 100644
--- a/etc/profile-m-z/vivaldi-snapshot.profile
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
@@ -2,16 +2,6 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vivaldi-snapshot.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.cache/vivaldi-snapshot
-noblacklist ${HOME}/.config/vivaldi-snapshot
-
-mkdir ${HOME}/.cache/vivaldi-snapshot
-mkdir ${HOME}/.config/vivaldi-snapshot
-whitelist ${HOME}/.cache/vivaldi-snapshot
-whitelist ${HOME}/.config/vivaldi-snapshot
 
 # Redirect
-include chromium-common.profile
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
index 5de5682a3..94b2cd76c 100644
--- a/etc/profile-m-z/vivaldi-stable.profile
+++ b/etc/profile-m-z/vivaldi-stable.profile
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-stable
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-stable.local
 
 # Redirect
 include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 096ce8a72..541942453 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -13,14 +13,20 @@ whitelist /var/opt/vivaldi
 writable-var
 
 noblacklist ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.cache/vivaldi-snapshot
 noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi-snapshot
 noblacklist ${HOME}/.local/lib/vivaldi
 
 mkdir ${HOME}/.cache/vivaldi
+mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
+mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
 whitelist ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.cache/vivaldi-snapshot
 whitelist ${HOME}/.config/vivaldi
+whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
 # breaks vivaldi sync
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 680bef677..81cd021f7 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -5,6 +5,11 @@ include yandex-browser.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/yandex-browser
 noblacklist ${HOME}/.cache/yandex-browser-beta
 noblacklist ${HOME}/.config/yandex-browser