From 594300374dc15bd704bcb1f2a98b17faef80aa79 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Mon, 9 Nov 2020 16:08:48 +0000 Subject: rework chromium (#3688) * rework chromium + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + create chromium-browser-privacy.profile (closes #3633) * update 1 + add missing 'ignore whitelist /usr/share/chromium' + revert 'Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.'. This breaks not just DRM, it break things such as AAC too. In addition vivaldi shows a something is broken pop-up, we would have a lot of 'does not work with firejail' issues. * update 2 * update 3 fixes #3709 --- etc/inc/chromium-common-hardened.inc | 5 +++++ etc/inc/disable-programs.inc | 2 ++ etc/profile-a-l/bnox.profile | 5 +++++ etc/profile-a-l/brave.profile | 6 ++++++ etc/profile-a-l/chromium-browser-privacy.profile | 17 +++++++++++++++++ etc/profile-a-l/chromium-common.profile | 13 ++++++++++++- etc/profile-a-l/dnox.profile | 5 +++++ etc/profile-a-l/enox.profile | 5 +++++ etc/profile-a-l/flashpeak-slimjet.profile | 5 +++++ etc/profile-a-l/google-chrome-beta.profile | 5 +++++ etc/profile-a-l/google-chrome-unstable.profile | 5 +++++ etc/profile-a-l/google-chrome.profile | 5 +++++ etc/profile-a-l/inox.profile | 5 +++++ etc/profile-a-l/iridium.profile | 5 +++++ etc/profile-m-z/min.profile | 5 +++++ etc/profile-m-z/opera-beta.profile | 5 +++++ etc/profile-m-z/opera.profile | 5 +++++ etc/profile-m-z/snox.profile | 5 +++++ etc/profile-m-z/vivaldi-beta.profile | 4 +++- etc/profile-m-z/vivaldi-snapshot.profile | 12 +----------- etc/profile-m-z/vivaldi-stable.profile | 4 +++- etc/profile-m-z/vivaldi.profile | 6 ++++++ etc/profile-m-z/yandex-browser.profile | 5 +++++ 23 files changed, 125 insertions(+), 14 deletions(-) create mode 100644 etc/inc/chromium-common-hardened.inc create mode 100644 etc/profile-a-l/chromium-browser-privacy.profile (limited to 'etc') diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc new file mode 100644 index 000000000..f33ce3115 --- /dev/null +++ b/etc/inc/chromium-common-hardened.inc @@ -0,0 +1,5 @@ +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp !chroot diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 1fba79f43..7e3c0b657 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -391,6 +391,7 @@ blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/truecraft blacklist ${HOME}/.config/tvbrowser blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/ungoogled-chromium blacklist ${HOME}/.config/uzbl blacklist ${HOME}/.config/viewnior blacklist ${HOME}/.config/vivaldi @@ -977,6 +978,7 @@ blacklist ${HOME}/.cache/telepathy blacklist ${HOME}/.cache/thunderbird blacklist ${HOME}/.cache/torbrowser blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/ungoogled-chromium blacklist ${HOME}/.cache/vivaldi blacklist ${HOME}/.cache/vivaldi-snapshot blacklist ${HOME}/.cache/vlc diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile index 031f3f4bd..6e8f0d7d1 100644 --- a/etc/profile-a-l/bnox.profile +++ b/etc/profile-a-l/bnox.profile @@ -5,6 +5,11 @@ include bnox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/bnox noblacklist ${HOME}/.config/bnox diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 35c59f5a3..904d3e94f 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile @@ -8,6 +8,12 @@ include globals.local # noexec /tmp is included in chromium-common.profile and breaks Brave ignore noexec /tmp +# TOR is installed in ${HOME} +ignore noexec ${HOME} +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc noblacklist ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile new file mode 100644 index 000000000..09eaa2d12 --- /dev/null +++ b/etc/profile-a-l/chromium-browser-privacy.profile @@ -0,0 +1,17 @@ +# Firejail profile for chromium-browser-privacy +# This file is overwritten after every install/update +# Persistent local customizations +include chromium-browser-privacy.local + +noblacklist ${HOME}/.cache/ungoogled-chromium +noblacklist ${HOME}/.config/ungoogled-chromium + +mkdir ${HOME}/.cache/ungoogled-chromium +mkdir ${HOME}/.config/ungoogled-chromium +whitelist ${HOME}/.cache/ungoogled-chromium +whitelist ${HOME}/.config/ungoogled-chromium + +# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings + +# Redirect +include chromium.profile diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 899400d25..6a9cf99b0 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -16,16 +16,25 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc +# include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki whitelist ${DOWNLOADS} whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki +whitelist /usr/share/chromium include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +# Uncomment the next line (or add it to your chromium-common.local) +# if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc + apparmor caps.keep sys_admin,sys_chroot netfilter @@ -36,8 +45,10 @@ notv shell none disable-mnt +private-cache ?BROWSER_DISABLE_U2F: private-dev -# private-tmp - problems with multiple browser sessions +# problems with multiple browser sessions +#private-tmp # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector # dbus-user none diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile index e02395771..51ba6f8b7 100644 --- a/etc/profile-a-l/dnox.profile +++ b/etc/profile-a-l/dnox.profile @@ -5,6 +5,11 @@ include dnox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/dnox noblacklist ${HOME}/.config/dnox diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile index d8ac8b24a..d982433e2 100644 --- a/etc/profile-a-l/enox.profile +++ b/etc/profile-a-l/enox.profile @@ -5,6 +5,11 @@ include enox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/Enox noblacklist ${HOME}/.config/Enox diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile index b841bce75..310fb378f 100644 --- a/etc/profile-a-l/flashpeak-slimjet.profile +++ b/etc/profile-a-l/flashpeak-slimjet.profile @@ -5,6 +5,11 @@ include flashpeak-slimjet.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/slimjet noblacklist ${HOME}/.config/slimjet diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index a62e4cf74..ebe5e870b 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile @@ -5,6 +5,11 @@ include google-chrome-beta.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome-beta noblacklist ${HOME}/.config/google-chrome-beta diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 14547eab2..4d303f71b 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile @@ -5,6 +5,11 @@ include google-chrome-unstable.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome-unstable noblacklist ${HOME}/.config/google-chrome-unstable diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index 66f76caa0..ed2595f72 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile @@ -5,6 +5,11 @@ include google-chrome.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome noblacklist ${HOME}/.config/google-chrome diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile index 1b3db73b4..a5cac12f2 100644 --- a/etc/profile-a-l/inox.profile +++ b/etc/profile-a-l/inox.profile @@ -5,6 +5,11 @@ include inox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/inox noblacklist ${HOME}/.config/inox diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile index ebb39b0a3..3037d00e9 100644 --- a/etc/profile-a-l/iridium.profile +++ b/etc/profile-a-l/iridium.profile @@ -5,6 +5,11 @@ include iridium.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/iridium noblacklist ${HOME}/.config/iridium diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile index 7f3aeab44..5dac50cd8 100644 --- a/etc/profile-m-z/min.profile +++ b/etc/profile-m-z/min.profile @@ -6,6 +6,11 @@ include min.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.config/Min mkdir ${HOME}/.config/Min diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile index 8658d30c6..551f1aba4 100644 --- a/etc/profile-m-z/opera-beta.profile +++ b/etc/profile-m-z/opera-beta.profile @@ -5,6 +5,11 @@ include opera-beta.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/opera noblacklist ${HOME}/.config/opera-beta diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile index b342b3961..2c7c5fc35 100644 --- a/etc/profile-m-z/opera.profile +++ b/etc/profile-m-z/opera.profile @@ -6,6 +6,11 @@ include opera.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/opera noblacklist ${HOME}/.config/opera noblacklist ${HOME}/.opera diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile index 3b3fd1ae1..83493652c 100644 --- a/etc/profile-m-z/snox.profile +++ b/etc/profile-m-z/snox.profile @@ -5,6 +5,11 @@ include snox.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/snox noblacklist ${HOME}/.config/snox diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile index 5de5682a3..0d80167f3 100644 --- a/etc/profile-m-z/vivaldi-beta.profile +++ b/etc/profile-m-z/vivaldi-beta.profile @@ -1,5 +1,7 @@ -# Firejail profile alias for vivaldi +# Firejail profile for vivaldi-beta # This file is overwritten after every install/update +# Persistent local customizations +include vivaldi-beta.local # Redirect include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile index ea4a4009f..543f206af 100644 --- a/etc/profile-m-z/vivaldi-snapshot.profile +++ b/etc/profile-m-z/vivaldi-snapshot.profile @@ -2,16 +2,6 @@ # This file is overwritten after every install/update # Persistent local customizations include vivaldi-snapshot.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.cache/vivaldi-snapshot -noblacklist ${HOME}/.config/vivaldi-snapshot - -mkdir ${HOME}/.cache/vivaldi-snapshot -mkdir ${HOME}/.config/vivaldi-snapshot -whitelist ${HOME}/.cache/vivaldi-snapshot -whitelist ${HOME}/.config/vivaldi-snapshot # Redirect -include chromium-common.profile +include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile index 5de5682a3..94b2cd76c 100644 --- a/etc/profile-m-z/vivaldi-stable.profile +++ b/etc/profile-m-z/vivaldi-stable.profile @@ -1,5 +1,7 @@ -# Firejail profile alias for vivaldi +# Firejail profile for vivaldi-stable # This file is overwritten after every install/update +# Persistent local customizations +include vivaldi-stable.local # Redirect include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 096ce8a72..541942453 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile @@ -13,14 +13,20 @@ whitelist /var/opt/vivaldi writable-var noblacklist ${HOME}/.cache/vivaldi +noblacklist ${HOME}/.cache/vivaldi-snapshot noblacklist ${HOME}/.config/vivaldi +noblacklist ${HOME}/.config/vivaldi-snapshot noblacklist ${HOME}/.local/lib/vivaldi mkdir ${HOME}/.cache/vivaldi +mkdir ${HOME}/.cache/vivaldi-snapshot mkdir ${HOME}/.config/vivaldi +mkdir ${HOME}/.config/vivaldi-snapshot mkdir ${HOME}/.local/lib/vivaldi whitelist ${HOME}/.cache/vivaldi +whitelist ${HOME}/.cache/vivaldi-snapshot whitelist ${HOME}/.config/vivaldi +whitelist ${HOME}/.config/vivaldi-snapshot whitelist ${HOME}/.local/lib/vivaldi # breaks vivaldi sync diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile index 680bef677..81cd021f7 100644 --- a/etc/profile-m-z/yandex-browser.profile +++ b/etc/profile-m-z/yandex-browser.profile @@ -5,6 +5,11 @@ include yandex-browser.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/yandex-browser noblacklist ${HOME}/.cache/yandex-browser-beta noblacklist ${HOME}/.config/yandex-browser -- cgit v1.2.3-70-g09d2