[PR #3688] [MERGED] profiles: chromium: rework & add new profiles #4848

New issue

Closed

opened 2026-05-05 10:27:43 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:27:43 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3688
Author: @rusty-snake
Created: 10/23/2020
Status: ✅ Merged
Merged: 11/9/2020
Merged by: @rusty-snake

Base: master ← Head: rework-chromium

📝 Commits (4)

d281e3c rework chromium
a2b6ce9 update 1
1d023a3 update 2
65193c3 update 3

📊 Changes

24 files changed (+126 additions, -14 deletions)

View changed files

➕ etc/inc/chromium-common-hardened.inc (+5 -0)
📝 etc/inc/disable-programs.inc (+2 -0)
📝 etc/profile-a-l/bnox.profile (+5 -0)
📝 etc/profile-a-l/brave.profile (+6 -0)
➕ etc/profile-a-l/chromium-browser-privacy.profile (+17 -0)
📝 etc/profile-a-l/chromium-common.profile (+12 -1)
📝 etc/profile-a-l/dnox.profile (+5 -0)
📝 etc/profile-a-l/enox.profile (+5 -0)
📝 etc/profile-a-l/flashpeak-slimjet.profile (+5 -0)
📝 etc/profile-a-l/google-chrome-beta.profile (+5 -0)
📝 etc/profile-a-l/google-chrome-unstable.profile (+5 -0)
📝 etc/profile-a-l/google-chrome.profile (+5 -0)
📝 etc/profile-a-l/inox.profile (+5 -0)
📝 etc/profile-a-l/iridium.profile (+5 -0)
📝 etc/profile-m-z/min.profile (+5 -0)
📝 etc/profile-m-z/opera-beta.profile (+5 -0)
📝 etc/profile-m-z/opera.profile (+5 -0)
📝 etc/profile-m-z/snox.profile (+5 -0)
📝 etc/profile-m-z/vivaldi-beta.profile (+3 -1)
📝 etc/profile-m-z/vivaldi-snapshot.profile (+1 -11)

...and 4 more files

📄 Description

516d0811 has removed fundamental security features.
(remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add
caps.keep) Though this is only necessary if running under a kernel which
disallow unprivileged userns clones. Arch's linux-hardened and debian kernel
are patched accordingly. Arch's linux and linux-lts kernels support this
restriction via sysctk (kernel.unprivileged_userns_clone=0) as users
opt-in. Other kernels such as mainline or fedora/redhat always support
unprivileged userns clone and have no sysctl parameter to disable it. Debian and
Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'.
This commit adds a chromium-common-hardened.inc which can be included
in chromium-common to enhance security of chromium-based programs.
chromium-common.profile: add private-cache
chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome.
- bnox, dnox, enox, inox, snox
- brave
- flashpeak-slimjet
- google-chrome, google-chrome-beta, google-chrome-unstable
- iridium
- min
- opera, opera-beta
move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi.
/usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot?
~~Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.~~
create chromium-browser-privacy.profile (closes #3633)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3688 **Author:** [@rusty-snake](https://github.com/rusty-snake) **Created:** 10/23/2020 **Status:** ✅ Merged **Merged:** 11/9/2020 **Merged by:** [@rusty-snake](https://github.com/rusty-snake) **Base:** `master` ← **Head:** `rework-chromium` --- ### 📝 Commits (4) - [`d281e3c`](https://github.com/netblue30/firejail/commit/d281e3c3fbb6953e261726a05af05cc257449832) rework chromium - [`a2b6ce9`](https://github.com/netblue30/firejail/commit/a2b6ce9adedf1be9a3062812e3d1569648a70bd7) update 1 - [`1d023a3`](https://github.com/netblue30/firejail/commit/1d023a3265df481dd6dcb31b348ebd7015e82311) update 2 - [`65193c3`](https://github.com/netblue30/firejail/commit/65193c340b4e8558142358c46f7ff8f594b3407e) update 3 ### 📊 Changes **24 files changed** (+126 additions, -14 deletions) <details> <summary>View changed files</summary> ➕ `etc/inc/chromium-common-hardened.inc` (+5 -0) 📝 `etc/inc/disable-programs.inc` (+2 -0) 📝 `etc/profile-a-l/bnox.profile` (+5 -0) 📝 `etc/profile-a-l/brave.profile` (+6 -0) ➕ `etc/profile-a-l/chromium-browser-privacy.profile` (+17 -0) 📝 `etc/profile-a-l/chromium-common.profile` (+12 -1) 📝 `etc/profile-a-l/dnox.profile` (+5 -0) 📝 `etc/profile-a-l/enox.profile` (+5 -0) 📝 `etc/profile-a-l/flashpeak-slimjet.profile` (+5 -0) 📝 `etc/profile-a-l/google-chrome-beta.profile` (+5 -0) 📝 `etc/profile-a-l/google-chrome-unstable.profile` (+5 -0) 📝 `etc/profile-a-l/google-chrome.profile` (+5 -0) 📝 `etc/profile-a-l/inox.profile` (+5 -0) 📝 `etc/profile-a-l/iridium.profile` (+5 -0) 📝 `etc/profile-m-z/min.profile` (+5 -0) 📝 `etc/profile-m-z/opera-beta.profile` (+5 -0) 📝 `etc/profile-m-z/opera.profile` (+5 -0) 📝 `etc/profile-m-z/snox.profile` (+5 -0) 📝 `etc/profile-m-z/vivaldi-beta.profile` (+3 -1) 📝 `etc/profile-m-z/vivaldi-snapshot.profile` (+1 -11) _...and 4 more files_ </details> ### 📄 Description + 516d0811 has removed fundamental security features. (remove caps.drop=all, nonewprivs, noroot, seccomp, protocol; add caps.keep) Though this is only necessary if running under a kernel which disallow unprivileged userns clones. Arch's linux-hardened and debian kernel are patched accordingly. Arch's linux and linux-lts kernels support this restriction via sysctk (kernel.unprivileged_userns_clone=0) as users opt-in. Other kernels such as mainline or fedora/redhat always support unprivileged userns clone and have no sysctl parameter to disable it. Debian and Arch users can enable it with 'sysctl kernel.unprivileged_userns_clone=1'. This commit adds a chromium-common-hardened.inc which can be included in chromium-common to enhance security of chromium-based programs. + chromium-common.profile: add private-cache + chromium-common.profile: add wruc and wusc, but disable it for the following profiles until tested. tests welcome. - [ ] bnox, dnox, enox, inox, snox - [ ] brave - [ ] flashpeak-slimjet - [ ] google-chrome, google-chrome-beta, google-chrome-unstable - [ ] iridium - [ ] min - [ ] opera, opera-beta + move vivaldi-snapshot paths from vivaldi-snapshot.profile to vivaldi. /usr/bin/vivaldi is a symlink to /etc/alternatives/vivaldi which can be vivaldi-stable, vivaldi-beta or vivaldi-snapshot. vivaldi-snapshot.profile missed also some features from vivaldi.profile, solve this by making it redirect to vivaldi.profile. TODO: exist new paths such as .local/lib/vivaldi also for vivaldi-snapshot? + ~Move drm-relaktions in vivaldi.profile behind BROWSER_ALLOW_DRM.~ + create chromium-browser-privacy.profile (closes #3633) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:27:43 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4848

No description provided.

Rows
Columns