From 594300374dc15bd704bcb1f2a98b17faef80aa79 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 9 Nov 2020 16:08:48 +0000
Subject: rework chromium (#3688)

* rework chromium

 + 516d0811 has removed fundamental security features.
   (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
   Though this is only necessary if running under a kernel which
disallow
   unprivileged userns clones. Arch's linux-hardened and debian kernel
are
   patched accordingly. Arch's linux and linux-lts kernels support this
   restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
   Other kernels such as mainline or fedora/redhat always support
unprivileged
   userns clone and have no sysctl parameter to disable it. Debian and
Arch
   users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
   This commit adds a chromium-common-hardened.inc which can be included
in
   chromium-common to enhance security of chromium-based programs.

 + chromium-common.profile: add private-cache

 + chromium-common.profile: add wruc and wusc, but disable it for the
   following
   profiles until tested. tests welcome.

    - [ ] bnox, dnox, enox, inox, snox
    - [ ] brave
    - [ ] flashpeak-slimjet
    - [ ] google-chrome, google-chrome-beta, google-chrome-unstable
    - [ ] iridium
    - [ ] min
    - [ ] opera, opera-beta

 + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
   /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
  vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
  missed also some features from vivaldi.profile, solve this by making
it
  redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
  also for vivaldi-snapshot?

 + create chromium-browser-privacy.profile (closes #3633)

* update 1

 + add missing 'ignore whitelist /usr/share/chromium'

 + revert 'Move drm-relaktions in vivaldi.profile behind
   BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
   as AAC too. In addition vivaldi shows a something is broken pop-up,
   we would have a lot of 'does not work with firejail' issues.

* update 2

* update 3

fixes #3709
---
 etc/profile-a-l/bnox.profile                     |  5 +++++
 etc/profile-a-l/brave.profile                    |  6 ++++++
 etc/profile-a-l/chromium-browser-privacy.profile | 17 +++++++++++++++++
 etc/profile-a-l/chromium-common.profile          | 13 ++++++++++++-
 etc/profile-a-l/dnox.profile                     |  5 +++++
 etc/profile-a-l/enox.profile                     |  5 +++++
 etc/profile-a-l/flashpeak-slimjet.profile        |  5 +++++
 etc/profile-a-l/google-chrome-beta.profile       |  5 +++++
 etc/profile-a-l/google-chrome-unstable.profile   |  5 +++++
 etc/profile-a-l/google-chrome.profile            |  5 +++++
 etc/profile-a-l/inox.profile                     |  5 +++++
 etc/profile-a-l/iridium.profile                  |  5 +++++
 12 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 etc/profile-a-l/chromium-browser-privacy.profile

(limited to 'etc/profile-a-l')

diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 031f3f4bd..6e8f0d7d1 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -5,6 +5,11 @@ include bnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
 
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 35c59f5a3..904d3e94f 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -8,6 +8,12 @@ include globals.local
 
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
+# TOR is installed in ${HOME}
+ignore noexec ${HOME}
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
new file mode 100644
index 000000000..09eaa2d12
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -0,0 +1,17 @@
+# Firejail profile for chromium-browser-privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser-privacy.local
+
+noblacklist ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
+
+mkdir ${HOME}/.cache/ungoogled-chromium
+mkdir ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
+
+# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 899400d25..6a9cf99b0 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -16,16 +16,25 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+# include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/chromium
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
+
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
@@ -36,8 +45,10 @@ notv
 shell none
 
 disable-mnt
+private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# private-tmp - problems with multiple browser sessions
+# problems with multiple browser sessions
+#private-tmp
 
 # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 # dbus-user none
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index e02395771..51ba6f8b7 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -5,6 +5,11 @@ include dnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
 
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d8ac8b24a..d982433e2 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -5,6 +5,11 @@ include enox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/Enox
 noblacklist ${HOME}/.config/Enox
 
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index b841bce75..310fb378f 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -5,6 +5,11 @@ include flashpeak-slimjet.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
 
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index a62e4cf74..ebe5e870b 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -5,6 +5,11 @@ include google-chrome-beta.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 14547eab2..4d303f71b 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -5,6 +5,11 @@ include google-chrome-unstable.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index 66f76caa0..ed2595f72 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -5,6 +5,11 @@ include google-chrome.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index 1b3db73b4..a5cac12f2 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -5,6 +5,11 @@ include inox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
 
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index ebb39b0a3..3037d00e9 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -5,6 +5,11 @@ include iridium.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
 
-- 
cgit v1.2.3-70-g09d2