feat: switch to hardened-chromium (#343)

* fix: selinux policy for chrome suid sandbox

* feat: switch to hardened-chromium

files/scripts/disableuserns.sh

@@ -36,3 +36,30 @@ PrivateUsers=no
 chown root:root /usr/bin/bwrap
 chmod u+s /usr/bin/bwrap
 
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2300183
+
+echo "
+
+
+module chrome_sandbox 1.0;
+
+require {
+	type chrome_sandbox_home_t;
+	type chrome_sandbox_t;
+	class file map;
+}
+
+#============= chrome_sandbox_t ==============
+
+allow chrome_sandbox_t chrome_sandbox_home_t:file map;
+
+" > chrome_sandbox.te
+
+checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te
+semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod
+semodule -i chrome_sandbox.pp
+
+rm chrome_sandbox.te
+rm chrome_sandbox.mod
+rm chrome_sandbox.pp

files/scripts/setchromiumflags.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-sed -i '/--enable-chrome-browser-cloud-management/d' /etc/chromium/chromium.conf
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=2293202
-sed -i '/--enable-native-gpu-memory-buffers/d' /etc/chromium/chromium.conf
-
-sed -i 's/FEATURES=""/FEATURES="SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,PrefetchPrivacyChanges,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey,ContentSettingsPartitioning,"/g' /etc/chromium/chromium.conf
-
-echo '
-
-CHROMIUM_FLAGS+=" --ozone-platform=wayland --js-flags=--jitless --no-pings --disk-cache-dir=/dev/null --extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict --disable-features=PrivacySandboxSettings4,InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions,MediaDrmPreprovisioning,AutofillServerCommunication,DisableThirdPartyStoragePartitioningDeprecationTrial,OptimizationHints,OptimizationHintsFetching,OptimizationHintsFetchingAnonymousDataConsent"
-
-' >> /etc/chromium/chromium.conf

files/system/usr/etc/chromium/chromium.conf.md

@@ -1,39 +0,0 @@
-**Disables hyperlink auditing pings**
-
-`--no-pings`
-
-**Disables the disk cache**
-
-`--disk-cache-dir=/dev/null`
-
-**Use strict extension verification**
-
-`--extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict`
-
-**Enable partitioning features**
-
-`SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey`
-
-**Harden prefetching**
-
-`PrefetchPrivacyChanges`
-
-**Disable Google's "privacy sandbox"**
-
-`PrivacySandboxSettings4`
-
-**Disable various content suggestions**
-
-`InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions`
-
-**Disable DRM**
-
-`MediaDrmPreprovisioning`
-
-**Disable autofill requests**
-
-`AutofillServerCommunication`
-
-**Enable content settings partitioning**
-
-`ContentSettingsPartitioning`

files/system/usr/etc/chromium/policies/managed/hardening.json

@@ -1,44 +0,0 @@
-{
-	"DefaultSensorsSetting": 2,
-	"EnableMediaRouter": false,
-	"AccessibilityImageLabelsEnabled": false,
-	"BackgroundModeEnabled": false,
-	"BlockThirdPartyCookies": true,
-	"ChromeVariations": 1,
-	"ClickToCallEnabled": false,
-	"DnsOverHttpsMode": "automatic",
-	"HttpsOnlyMode": "force_enabled",
-	"MediaRecommendationsEnabled": false,
-	"MetricsReportingEnabled": false,
-	"NetworkPredictionOptions": 2,
-	"PaymentMethodQueryEnabled": false,
-	"PromotionalTabsEnabled": false,
-	"RemoteDebuggingAllowed": false,
-	"SafeSitesFilterBehavior": 0,
-	"SearchSuggestEnabled": false,
-	"SharedClipboardEnabled": false,
-	"ShowFullUrlsInAddressBar": true,
-	"SpellCheckServiceEnabled": false,
-	"SyncDisabled": true,
-	"TranslateEnabled": false,
-	"UrlKeyedAnonymizedDataCollectionEnabled": false,
-	"WebRtcEventLogCollectionAllowed": false,
-	"WebRtcIPHandling": "disable_non_proxied_udp",
-	"SafeBrowsingExtendedReportingEnabled": false,
-	"BrowserSignin": 0,
-	"AlternateErrorPagesEnabled": false,
-	"RemoteAccessHostAllowRemoteAccessConnections": false,
-	"RemoteAccessHostFirewallTraversal": false,
-	"DefaultInsecureContentSetting": 2,
-	"BlockExternalExtensions": true,
-	"AuthSchemes": "ntlm,negotiate",
-	"CloudPrintProxyEnabled": false,
-	"DefaultGeolocationSetting": 2,
-	"CloudPrintSubmitEnabled": false,
-	"AutofillAddressEnabled": false,
-	"AutofillCreditCardEnabled": false,
-	"ImportSavedPasswords": false,
-	"AlwaysOpenPdfExternally": true,
-	"AudioSandboxEnabled": true,
-	"NetworkServiceSandboxEnabled": true
-}

files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md

@@ -1,170 +0,0 @@
-*The policies set here include a subset of those found in the [brace policy file](https://github.com/divestedcg/Brace/blob/master/brace/etc/chromium/policies/managed/brace.json). All policies that are deprecated, identical to the default, or only for ChromeOS have been removed.*
-
-**Do not allow any site to access sensors**
-
-`"DefaultSensorsSetting": 2`
-
-**Disable Google Cast**
-
-`"EnableMediaRouter": false`
-
-**Disable fetching labels for unlabelled images**
-
-`"AccessibilityImageLabelsEnabled": false`
-
-**Disable background mode**
-
-`"BackgroundModeEnabled": false`
-
-**Disable third party cookies**
-
-`"BlockThirdPartyCookies": true`
-
-**Permit Chrome Variations only for critical fixes**
-
-`"ChromeVariations": 1`
-
-**Disable click to call**
-
-`"ClickToCallEnabled": false`
-
-**Automatically use DNS-over-HTTPS if it's available**
-
-`"DnsOverHttpsMode": "automatic"`
-
-**Force enable HTTPS-Only Mode**
-
-`"HttpsOnlyMode": "force_enabled"`
-
-**Hide media recommendations**
-
-`"MediaRecommendationsEnabled": false`
-
-**Disable usage and crash reporting**
-
-`"MetricsReportingEnabled": false`
-
-**Disable network prediction**
-
-`"NetworkPredictionOptions": 2`
-
-**Disable payment method API**
-
-`"PaymentMethodQueryEnabled": false`
-
-**Disable full-tab promotions**
-
-`"PromotionalTabsEnabled": false`
-
-**Disable remote debugging**
-
-`"RemoteDebuggingAllowed": false`
-
-**Disable sending URLs for content filtering**
-
-`"SafeSitesFilterBehavior": 0`
-
-**Disable search suggestions**
-
-`"SearchSuggestEnabled": false`
-
-**Disable cross-device clipboard sharing**
-
-`"SharedClipboardEnabled": false`
-
-**Show full urls in the address bar**
-
-`"ShowFullUrlsInAddressBar": true`
-
-**Disable online spellchecking service**
-
-`"SpellCheckServiceEnabled": false`
-
-**Disable sync services**
-
-`"SyncDisabled": true`
-
-**Disable translate services**
-
-`"TranslateEnabled": false`
-
-**Disable URL-keyed anonymized data collection**
-
-`"UrlKeyedAnonymizedDataCollectionEnabled": false`
-
-**Disable WebRTC event log collection and uploading**
-
-`"WebRtcEventLogCollectionAllowed": false`
-
-**For WebRTC, use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.**
-
-`"WebRtcIPHandling": "disable_non_proxied_udp"`
-
-**Disable extended reporting for Safe Browsing**
-
-`"SafeBrowsingExtendedReportingEnabled": false`
-
-**Disable browser sign-in**
-
-`"BrowserSignin": 0`
-
-**Disable navigation error correction**
-
-`"AlternateErrorPagesEnabled": false`
-
-**Prevent remote access service from starting**
-
-`"RemoteAccessHostAllowRemoteAccessConnections": false`
-
-**Prevent remote client discovery**
-
-`"RemoteAccessHostFirewallTraversal": false`
-
-**Do not allow sites to load mixed content**
-
-`"DefaultInsecureContentSetting": 2`
-
-**Block external extensions**
-
-`"BlockExternalExtensions": true`
-
-**Disable insecure HTTP authentication schemes**
-
-`"AuthSchemes": "ntlm,negotiate"`
-
-**Disable Google Cloud Print proxy**
-
-`"CloudPrintProxyEnabled": false`
-
-**By default, do not allow any site to track the users' physical location**
-
-`"DefaultGeolocationSetting": 2`
-
-**Disable Google Cloud Print site submission**
-
-`"CloudPrintSubmitEnabled": false`
-
-**Prevent saving address information for autofill**
-
-`"AutofillAddressEnabled": false`
-
-**Prevent saving credit card information for autofill**
-
-`"AutofillCreditCardEnabled": false`
-
-**Do not import saved passwords on first run**
-
-`"ImportSavedPasswords": false`
-
-**Disable the internal PDF viewer**
-
-`"AlwaysOpenPdfExternally": true`
-
-**Enable Audio Service Sandbox**
-
-`"AudioSandboxEnabled": true`
-
-**Enable Network Service Sandbox**
-
-`"NetworkServiceSandboxEnabled": true`
-

recipes/common/gui-packages.yml

@@ -1,9 +1,10 @@
 type: rpm-ostree
 repos:
   - https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail/repo/fedora-%OS_VERSION%/secureblue-bubblejail-fedora-%OS_VERSION%.repo
+  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened-chromium/repo/fedora-%OS_VERSION%/secureblue-hardened-chromium-fedora-%OS_VERSION%.repo
 install:
   - headsetcontrol
-  - chromium
+  - hardened-chromium
   - mediainfo
   - bubblejail
   - usbguard-notifier
@@ -12,6 +13,7 @@ install:
   
 remove:
   - openssh-server
+  - fedora-chromium-config
   - fedora-flathub-remote
   - open-vm-tools
   - open-vm-tools-desktop

recipes/common/gui-scripts.yml

@@ -1,4 +1,3 @@
 type: script
 scripts:
   - disablecups.sh
-  - setchromiumflags.sh