feat: switch to hardened-chromium (#343)

* fix: selinux policy for chrome suid sandbox * feat: switch to hardened-chromium
2025-11-03 20:07:53 +00:00 · 2024-07-28 21:12:45 -07:00
parent e500f078ef
commit 45c9506980
7 changed files with 30 additions and 272 deletions
--- a/files/scripts/disableuserns.sh
+++ b/files/scripts/disableuserns.sh
@@ -36,3 +36,30 @@ PrivateUsers=no
 chown root:root /usr/bin/bwrap
 chmod u+s /usr/bin/bwrap
 # https://bugzilla.redhat.com/show_bug.cgi?id=2300183
 echo "
 module chrome_sandbox 1.0;
 require {
 	type chrome_sandbox_home_t;
 	type chrome_sandbox_t;
 	class file map;
 }
 #============= chrome_sandbox_t ==============
 allow chrome_sandbox_t chrome_sandbox_home_t:file map;
 " > chrome_sandbox.te
 checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te
 semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod
 semodule -i chrome_sandbox.pp
 rm chrome_sandbox.te
 rm chrome_sandbox.mod
 rm chrome_sandbox.pp
--- a/files/scripts/setchromiumflags.sh
+++ b/files/scripts/setchromiumflags.sh
@@ -1,17 +0,0 @@
 #!/usr/bin/env bash
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 sed -i '/--enable-chrome-browser-cloud-management/d' /etc/chromium/chromium.conf
 # https://bugzilla.redhat.com/show_bug.cgi?id=2293202
 sed -i '/--enable-native-gpu-memory-buffers/d' /etc/chromium/chromium.conf
 sed -i 's/FEATURES=""/FEATURES="SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,PrefetchPrivacyChanges,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey,ContentSettingsPartitioning,"/g' /etc/chromium/chromium.conf
 echo '
 CHROMIUM_FLAGS+=" --ozone-platform=wayland --js-flags=--jitless --no-pings --disk-cache-dir=/dev/null --extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict --disable-features=PrivacySandboxSettings4,InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions,MediaDrmPreprovisioning,AutofillServerCommunication,DisableThirdPartyStoragePartitioningDeprecationTrial,OptimizationHints,OptimizationHintsFetching,OptimizationHintsFetchingAnonymousDataConsent"
 ' >> /etc/chromium/chromium.conf
--- a/files/system/usr/etc/chromium/chromium.conf.md
+++ b/files/system/usr/etc/chromium/chromium.conf.md
@@ -1,39 +0,0 @@
 **Disables hyperlink auditing pings**
 `--no-pings`
 **Disables the disk cache**
 `--disk-cache-dir=/dev/null`
 **Use strict extension verification**
 `--extension-content-verification=enforce_strict --extensions-install-verification=enforce_strict`
 **Enable partitioning features**
 `SplitCacheByNetworkIsolationKey,SplitCodeCacheByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey,IsolateSandboxedIframes,StrictOriginIsolation,PartitionConnectionsByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,EnableCrossSiteFlagNetworkIsolationKey`
 **Harden prefetching**
 `PrefetchPrivacyChanges`
 **Disable Google's "privacy sandbox"**
 `PrivacySandboxSettings4`
 **Disable various content suggestions**
 `InterestFeedV2,NTPPopularSitesBakedInContent,UsePopularSitesSuggestions`
 **Disable DRM**
 `MediaDrmPreprovisioning`
 **Disable autofill requests**
 `AutofillServerCommunication`
 **Enable content settings partitioning**
 `ContentSettingsPartitioning`
--- a/files/system/usr/etc/chromium/policies/managed/hardening.json
+++ b/files/system/usr/etc/chromium/policies/managed/hardening.json
@@ -1,44 +0,0 @@
 {
 	"DefaultSensorsSetting": 2,
 	"EnableMediaRouter": false,
 	"AccessibilityImageLabelsEnabled": false,
 	"BackgroundModeEnabled": false,
 	"BlockThirdPartyCookies": true,
 	"ChromeVariations": 1,
 	"ClickToCallEnabled": false,
 	"DnsOverHttpsMode": "automatic",
 	"HttpsOnlyMode": "force_enabled",
 	"MediaRecommendationsEnabled": false,
 	"MetricsReportingEnabled": false,
 	"NetworkPredictionOptions": 2,
 	"PaymentMethodQueryEnabled": false,
 	"PromotionalTabsEnabled": false,
 	"RemoteDebuggingAllowed": false,
 	"SafeSitesFilterBehavior": 0,
 	"SearchSuggestEnabled": false,
 	"SharedClipboardEnabled": false,
 	"ShowFullUrlsInAddressBar": true,
 	"SpellCheckServiceEnabled": false,
 	"SyncDisabled": true,
 	"TranslateEnabled": false,
 	"UrlKeyedAnonymizedDataCollectionEnabled": false,
 	"WebRtcEventLogCollectionAllowed": false,
 	"WebRtcIPHandling": "disable_non_proxied_udp",
 	"SafeBrowsingExtendedReportingEnabled": false,
 	"BrowserSignin": 0,
 	"AlternateErrorPagesEnabled": false,
 	"RemoteAccessHostAllowRemoteAccessConnections": false,
 	"RemoteAccessHostFirewallTraversal": false,
 	"DefaultInsecureContentSetting": 2,
 	"BlockExternalExtensions": true,
 	"AuthSchemes": "ntlm,negotiate",
 	"CloudPrintProxyEnabled": false,
 	"DefaultGeolocationSetting": 2,
 	"CloudPrintSubmitEnabled": false,
 	"AutofillAddressEnabled": false,
 	"AutofillCreditCardEnabled": false,
 	"ImportSavedPasswords": false,
 	"AlwaysOpenPdfExternally": true,
 	"AudioSandboxEnabled": true,
 	"NetworkServiceSandboxEnabled": true
 }
--- a/files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md
+++ b/files/system/usr/etc/chromium/policies/managed/hardening.json.readme.md
@@ -1,170 +0,0 @@
 *The policies set here include a subset of those found in the [brace policy file](https://github.com/divestedcg/Brace/blob/master/brace/etc/chromium/policies/managed/brace.json). All policies that are deprecated, identical to the default, or only for ChromeOS have been removed.*
 **Do not allow any site to access sensors**
 `"DefaultSensorsSetting": 2`
 **Disable Google Cast**
 `"EnableMediaRouter": false`
 **Disable fetching labels for unlabelled images**
 `"AccessibilityImageLabelsEnabled": false`
 **Disable background mode**
 `"BackgroundModeEnabled": false`
 **Disable third party cookies**
 `"BlockThirdPartyCookies": true`
 **Permit Chrome Variations only for critical fixes**
 `"ChromeVariations": 1`
 **Disable click to call**
 `"ClickToCallEnabled": false`
 **Automatically use DNS-over-HTTPS if it's available**
 `"DnsOverHttpsMode": "automatic"`
 **Force enable HTTPS-Only Mode**
 `"HttpsOnlyMode": "force_enabled"`
 **Hide media recommendations**
 `"MediaRecommendationsEnabled": false`
 **Disable usage and crash reporting**
 `"MetricsReportingEnabled": false`
 **Disable network prediction**
 `"NetworkPredictionOptions": 2`
 **Disable payment method API**
 `"PaymentMethodQueryEnabled": false`
 **Disable full-tab promotions**
 `"PromotionalTabsEnabled": false`
 **Disable remote debugging**
 `"RemoteDebuggingAllowed": false`
 **Disable sending URLs for content filtering**
 `"SafeSitesFilterBehavior": 0`
 **Disable search suggestions**
 `"SearchSuggestEnabled": false`
 **Disable cross-device clipboard sharing**
 `"SharedClipboardEnabled": false`
 **Show full urls in the address bar**
 `"ShowFullUrlsInAddressBar": true`
 **Disable online spellchecking service**
 `"SpellCheckServiceEnabled": false`
 **Disable sync services**
 `"SyncDisabled": true`
 **Disable translate services**
 `"TranslateEnabled": false`
 **Disable URL-keyed anonymized data collection**
 `"UrlKeyedAnonymizedDataCollectionEnabled": false`
 **Disable WebRTC event log collection and uploading**
 `"WebRtcEventLogCollectionAllowed": false`
 **For WebRTC, use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.**
 `"WebRtcIPHandling": "disable_non_proxied_udp"`
 **Disable extended reporting for Safe Browsing**
 `"SafeBrowsingExtendedReportingEnabled": false`
 **Disable browser sign-in**
 `"BrowserSignin": 0`
 **Disable navigation error correction**
 `"AlternateErrorPagesEnabled": false`
 **Prevent remote access service from starting**
 `"RemoteAccessHostAllowRemoteAccessConnections": false`
 **Prevent remote client discovery**
 `"RemoteAccessHostFirewallTraversal": false`
 **Do not allow sites to load mixed content**
 `"DefaultInsecureContentSetting": 2`
 **Block external extensions**
 `"BlockExternalExtensions": true`
 **Disable insecure HTTP authentication schemes**
 `"AuthSchemes": "ntlm,negotiate"`
 **Disable Google Cloud Print proxy**
 `"CloudPrintProxyEnabled": false`
 **By default, do not allow any site to track the users' physical location**
 `"DefaultGeolocationSetting": 2`
 **Disable Google Cloud Print site submission**
 `"CloudPrintSubmitEnabled": false`
 **Prevent saving address information for autofill**
 `"AutofillAddressEnabled": false`
 **Prevent saving credit card information for autofill**
 `"AutofillCreditCardEnabled": false`
 **Do not import saved passwords on first run**
 `"ImportSavedPasswords": false`
 **Disable the internal PDF viewer**
 `"AlwaysOpenPdfExternally": true`
 **Enable Audio Service Sandbox**
 `"AudioSandboxEnabled": true`
 **Enable Network Service Sandbox**
 `"NetworkServiceSandboxEnabled": true`
--- a/recipes/common/gui-packages.yml
+++ b/recipes/common/gui-packages.yml
@@ -1,9 +1,10 @@
 type: rpm-ostree
 repos:
  - https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail/repo/fedora-%OS_VERSION%/secureblue-bubblejail-fedora-%OS_VERSION%.repo
  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened-chromium/repo/fedora-%OS_VERSION%/secureblue-hardened-chromium-fedora-%OS_VERSION%.repo
 install:
  - headsetcontrol
-  - chromium
+  - hardened-chromium
  - mediainfo
  - bubblejail
  - usbguard-notifier
@@ -12,6 +13,7 @@ install:
 remove:
  - openssh-server
  - fedora-chromium-config
  - fedora-flathub-remote
  - open-vm-tools
  - open-vm-tools-desktop
--- a/recipes/common/gui-scripts.yml
+++ b/recipes/common/gui-scripts.yml
@@ -1,4 +1,3 @@
 type: script
 scripts:
  - disablecups.sh
  - setchromiumflags.sh