From 594300374dc15bd704bcb1f2a98b17faef80aa79 Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Mon, 9 Nov 2020 16:08:48 +0000
Subject: rework chromium (#3688)

* rework chromium

 + 516d0811 has removed fundamental security features.
   (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep)
   Though this is only necessary if running under a kernel which
disallow
   unprivileged userns clones. Arch's linux-hardened and debian kernel
are
   patched accordingly. Arch's linux and linux-lts kernels support this
   restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in.
   Other kernels such as mainline or fedora/redhat always support
unprivileged
   userns clone and have no sysctl parameter to disable it. Debian and
Arch
   users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
   This commit adds a chromium-common-hardened.inc which can be included
in
   chromium-common to enhance security of chromium-based programs.

 + chromium-common.profile: add private-cache

 + chromium-common.profile: add wruc and wusc, but disable it for the
   following
   profiles until tested. tests welcome.

    - [ ] bnox, dnox, enox, inox, snox
    - [ ] brave
    - [ ] flashpeak-slimjet
    - [ ] google-chrome, google-chrome-beta, google-chrome-unstable
    - [ ] iridium
    - [ ] min
    - [ ] opera, opera-beta

 + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
   /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can
be
  vivaldi-stable, vivaldi-beta or vivaldi-snapshot.
vivaldi-snapshot.profile
  missed also some features from vivaldi.profile, solve this by making
it
  redirect to vivaldi.profile. TODO: exist new paths such as
.local/lib/vivaldi
  also for vivaldi-snapshot?

 + create chromium-browser-privacy.profile (closes #3633)

* update 1

 + add missing 'ignore whitelist /usr/share/chromium'

 + revert 'Move drm-relaktions in vivaldi.profile behind
   BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such
   as AAC too. In addition vivaldi shows a something is broken pop-up,
   we would have a lot of 'does not work with firejail' issues.

* update 2

* update 3

fixes #3709
---
 etc/profile-m-z/snox.profile | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'etc/profile-m-z/snox.profile')

diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 3b3fd1ae1..83493652c 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -5,6 +5,11 @@ include snox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/snox
 noblacklist ${HOME}/.config/snox
 
-- 
cgit v1.2.3-70-g09d2