From 45c9506980924eb2907885b32eb40e3250c7cc2b Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Sun, 28 Jul 2024 21:12:45 -0700 Subject: [PATCH] feat: switch to hardened-chromium (#343) * fix: selinux policy for chrome suid sandbox * feat: switch to hardened-chromium --- files/scripts/disableuserns.sh | 27 +++ files/scripts/setchromiumflags.sh | 17 -- .../system/usr/etc/chromium/chromium.conf.md | 39 ---- .../chromium/policies/managed/hardening.json | 44 ----- .../policies/managed/hardening.json.readme.md | 170 ------------------ recipes/common/gui-packages.yml | 4 +- recipes/common/gui-scripts.yml | 1 - 7 files changed, 30 insertions(+), 272 deletions(-) delete mode 100644 files/scripts/setchromiumflags.sh delete mode 100644 files/system/usr/etc/chromium/chromium.conf.md delete mode 100644 files/system/usr/etc/chromium/policies/managed/hardening.json delete mode 100644 files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md diff --git a/files/scripts/disableuserns.sh b/files/scripts/disableuserns.sh index 33e5cdb..dcc3415 100644 --- a/files/scripts/disableuserns.sh +++ b/files/scripts/disableuserns.sh @@ -36,3 +36,30 @@ PrivateUsers=no chown root:root /usr/bin/bwrap chmod u+s /usr/bin/bwrap + +# https://bugzilla.redhat.com/show_bug.cgi?id=2300183 + +echo " + + +module chrome_sandbox 1.0; + +require { + type chrome_sandbox_home_t; + type chrome_sandbox_t; + class file map; +} + +#============= chrome_sandbox_t ============== + +allow chrome_sandbox_t chrome_sandbox_home_t:file map; + +" > chrome_sandbox.te + +checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te +semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod +semodule -i chrome_sandbox.pp + +rm chrome_sandbox.te +rm chrome_sandbox.mod +rm chrome_sandbox.pp \ No newline at end of file diff --git a/files/scripts/setchromiumflags.sh b/files/scripts/setchromiumflags.sh deleted file mode 100644 index c893b47..0000000 --- a/files/scripts/setchromiumflags.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash - -# Tell build process to exit if there are any errors. -set -oue pipefail - -sed -i '/--enable-chrome-browser-cloud-management/d' /etc/chromium/chromium.conf - -# https://bugzilla.redhat.com/show_bug.cgi?id=2293202 -sed -i '/--enable-native-gpu-memory-buffers/d' /etc/chromium/chromium.conf - -sed -i 's/FEATURES=""/FEATURES="SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,PrefetchPrivacyChanges,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey,ContentSettingsPartitioning,"/g' /etc/chromium/chromium.conf - -echo ' - -CHROMIUM_FLAGS+=" --ozone-platform=wayland --js-flags=--jitless --no-pings --disk-cache-dir=/dev/null --extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict --disable-features=PrivacySandboxSettings4,InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions,MediaDrmPreprovisioning,AutofillServerCommunication,DisableThirdPartyStoragePartitioningDeprecationTrial,OptimizationHints,OptimizationHintsFetching,OptimizationHintsFetchingAnonymousDataConsent" - -' >> /etc/chromium/chromium.conf diff --git a/files/system/usr/etc/chromium/chromium.conf.md b/files/system/usr/etc/chromium/chromium.conf.md deleted file mode 100644 index 9d2b310..0000000 --- a/files/system/usr/etc/chromium/chromium.conf.md +++ /dev/null @@ -1,39 +0,0 @@ -**Disables hyperlink auditing pings** - -`--no-pings` - -**Disables the disk cache** - -`--disk-cache-dir=/dev/null` - -**Use strict extension verification** - -`--extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict` - -**Enable partitioning features** - -`SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey` - -**Harden prefetching** - -`PrefetchPrivacyChanges` - -**Disable Google's "privacy sandbox"** - -`PrivacySandboxSettings4` - -**Disable various content suggestions** - -`InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions` - -**Disable DRM** - -`MediaDrmPreprovisioning` - -**Disable autofill requests** - -`AutofillServerCommunication` - -**Enable content settings partitioning** - -`ContentSettingsPartitioning` \ No newline at end of file diff --git a/files/system/usr/etc/chromium/policies/managed/hardening.json b/files/system/usr/etc/chromium/policies/managed/hardening.json deleted file mode 100644 index 06708c0..0000000 --- a/files/system/usr/etc/chromium/policies/managed/hardening.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "DefaultSensorsSetting": 2, - "EnableMediaRouter": false, - "AccessibilityImageLabelsEnabled": false, - "BackgroundModeEnabled": false, - "BlockThirdPartyCookies": true, - "ChromeVariations": 1, - "ClickToCallEnabled": false, - "DnsOverHttpsMode": "automatic", - "HttpsOnlyMode": "force_enabled", - "MediaRecommendationsEnabled": false, - "MetricsReportingEnabled": false, - "NetworkPredictionOptions": 2, - "PaymentMethodQueryEnabled": false, - "PromotionalTabsEnabled": false, - "RemoteDebuggingAllowed": false, - "SafeSitesFilterBehavior": 0, - "SearchSuggestEnabled": false, - "SharedClipboardEnabled": false, - "ShowFullUrlsInAddressBar": true, - "SpellCheckServiceEnabled": false, - "SyncDisabled": true, - "TranslateEnabled": false, - "UrlKeyedAnonymizedDataCollectionEnabled": false, - "WebRtcEventLogCollectionAllowed": false, - "WebRtcIPHandling": "disable_non_proxied_udp", - "SafeBrowsingExtendedReportingEnabled": false, - "BrowserSignin": 0, - "AlternateErrorPagesEnabled": false, - "RemoteAccessHostAllowRemoteAccessConnections": false, - "RemoteAccessHostFirewallTraversal": false, - "DefaultInsecureContentSetting": 2, - "BlockExternalExtensions": true, - "AuthSchemes": "ntlm,negotiate", - "CloudPrintProxyEnabled": false, - "DefaultGeolocationSetting": 2, - "CloudPrintSubmitEnabled": false, - "AutofillAddressEnabled": false, - "AutofillCreditCardEnabled": false, - "ImportSavedPasswords": false, - "AlwaysOpenPdfExternally": true, - "AudioSandboxEnabled": true, - "NetworkServiceSandboxEnabled": true -} diff --git a/files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md b/files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md deleted file mode 100644 index 247e967..0000000 --- a/files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md +++ /dev/null @@ -1,170 +0,0 @@ -*The policies set here include a subset of those found in the [brace policy file](https://github.com/divestedcg/Brace/blob/master/brace/etc/chromium/policies/managed/brace.json). All policies that are deprecated, identical to the default, or only for ChromeOS have been removed.* - -**Do not allow any site to access sensors** - -`"DefaultSensorsSetting": 2` - -**Disable Google Cast** - -`"EnableMediaRouter": false` - -**Disable fetching labels for unlabelled images** - -`"AccessibilityImageLabelsEnabled": false` - -**Disable background mode** - -`"BackgroundModeEnabled": false` - -**Disable third party cookies** - -`"BlockThirdPartyCookies": true` - -**Permit Chrome Variations only for critical fixes** - -`"ChromeVariations": 1` - -**Disable click to call** - -`"ClickToCallEnabled": false` - -**Automatically use DNS-over-HTTPS if it's available** - -`"DnsOverHttpsMode": "automatic"` - -**Force enable HTTPS-Only Mode** - -`"HttpsOnlyMode": "force_enabled"` - -**Hide media recommendations** - -`"MediaRecommendationsEnabled": false` - -**Disable usage and crash reporting** - -`"MetricsReportingEnabled": false` - -**Disable network prediction** - -`"NetworkPredictionOptions": 2` - -**Disable payment method API** - -`"PaymentMethodQueryEnabled": false` - -**Disable full-tab promotions** - -`"PromotionalTabsEnabled": false` - -**Disable remote debugging** - -`"RemoteDebuggingAllowed": false` - -**Disable sending URLs for content filtering** - -`"SafeSitesFilterBehavior": 0` - -**Disable search suggestions** - -`"SearchSuggestEnabled": false` - -**Disable cross-device clipboard sharing** - -`"SharedClipboardEnabled": false` - -**Show full urls in the address bar** - -`"ShowFullUrlsInAddressBar": true` - -**Disable online spellchecking service** - -`"SpellCheckServiceEnabled": false` - -**Disable sync services** - -`"SyncDisabled": true` - -**Disable translate services** - -`"TranslateEnabled": false` - -**Disable URL-keyed anonymized data collection** - -`"UrlKeyedAnonymizedDataCollectionEnabled": false` - -**Disable WebRTC event log collection and uploading** - -`"WebRtcEventLogCollectionAllowed": false` - -**For WebRTC, use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.** - -`"WebRtcIPHandling": "disable_non_proxied_udp"` - -**Disable extended reporting for Safe Browsing** - -`"SafeBrowsingExtendedReportingEnabled": false` - -**Disable browser sign-in** - -`"BrowserSignin": 0` - -**Disable navigation error correction** - -`"AlternateErrorPagesEnabled": false` - -**Prevent remote access service from starting** - -`"RemoteAccessHostAllowRemoteAccessConnections": false` - -**Prevent remote client discovery** - -`"RemoteAccessHostFirewallTraversal": false` - -**Do not allow sites to load mixed content** - -`"DefaultInsecureContentSetting": 2` - -**Block external extensions** - -`"BlockExternalExtensions": true` - -**Disable insecure HTTP authentication schemes** - -`"AuthSchemes": "ntlm,negotiate"` - -**Disable Google Cloud Print proxy** - -`"CloudPrintProxyEnabled": false` - -**By default, do not allow any site to track the users' physical location** - -`"DefaultGeolocationSetting": 2` - -**Disable Google Cloud Print site submission** - -`"CloudPrintSubmitEnabled": false` - -**Prevent saving address information for autofill** - -`"AutofillAddressEnabled": false` - -**Prevent saving credit card information for autofill** - -`"AutofillCreditCardEnabled": false` - -**Do not import saved passwords on first run** - -`"ImportSavedPasswords": false` - -**Disable the internal PDF viewer** - -`"AlwaysOpenPdfExternally": true` - -**Enable Audio Service Sandbox** - -`"AudioSandboxEnabled": true` - -**Enable Network Service Sandbox** - -`"NetworkServiceSandboxEnabled": true` - diff --git a/recipes/common/gui-packages.yml b/recipes/common/gui-packages.yml index cac65d9..48a5dff 100644 --- a/recipes/common/gui-packages.yml +++ b/recipes/common/gui-packages.yml @@ -1,9 +1,10 @@ type: rpm-ostree repos: - https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail/repo/fedora-%OS_VERSION%/secureblue-bubblejail-fedora-%OS_VERSION%.repo + - https://copr.fedorainfracloud.org/coprs/secureblue/hardened-chromium/repo/fedora-%OS_VERSION%/secureblue-hardened-chromium-fedora-%OS_VERSION%.repo install: - headsetcontrol - - chromium + - hardened-chromium - mediainfo - bubblejail - usbguard-notifier @@ -12,6 +13,7 @@ install: remove: - openssh-server + - fedora-chromium-config - fedora-flathub-remote - open-vm-tools - open-vm-tools-desktop diff --git a/recipes/common/gui-scripts.yml b/recipes/common/gui-scripts.yml index ec9713b..2ea4c6e 100644 --- a/recipes/common/gui-scripts.yml +++ b/recipes/common/gui-scripts.yml @@ -1,4 +1,3 @@ type: script scripts: - disablecups.sh - - setchromiumflags.sh \ No newline at end of file