Fix flatpak build

SOURCES/flatpak-Adjust-paths-for-the-sandbox.patch

@@ -0,0 +1,86 @@
+From 997c9dc4160c468f26acb851eb65408f41e2a091 Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Tue, 25 Aug 2020 19:26:07 -0500
+Subject: [PATCH] flatpak: Adjust paths for the sandbox
+
+---
+ chrome/common/BUILD.gn        |  4 ++++
+ chrome/common/chrome_paths.cc | 26 +++++++++++++++++++++++++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn
+index 76cf6a5985990..4044c87b656c4 100644
+--- a/chrome/common/BUILD.gn
++++ b/chrome/common/BUILD.gn
+@@ -642,6 +642,10 @@ static_library("constants") {
+       "//third_party/widevine/cdm:headers",
+     ]
+   }
++
++  if (is_linux) {
++    deps += [ "//sandbox/linux:sandbox_services" ]
++  }
+ }
+ 
+ # Use a static library here because many test binaries depend on this but don't
+diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
+index ec09803ffabcf..ecbc300b99e1d 100644
+--- a/chrome/common/chrome_paths.cc
++++ b/chrome/common/chrome_paths.cc
+@@ -38,6 +38,10 @@
+ #include "base/win/registry.h"
+ #endif
+ 
++#if BUILDFLAG(IS_LINUX)
++#include "sandbox/linux/services/flatpak_sandbox.h"
++#endif
++
+ #if BUILDFLAG(ENABLE_WIDEVINE)
+ #include "third_party/widevine/cdm/widevine_cdm_common.h"  // nogncheck
+ #endif
+@@ -537,6 +541,14 @@ bool PathProvider(int key, base::FilePath* result) {
+       break;
+ #if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_OPENBSD)
+     case chrome::DIR_POLICY_FILES: {
++#if defined(OS_LINUX)
++      if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
++          sandbox::FlatpakSandbox::SandboxLevel::kNone) {
++        cur = base::FilePath(
++            FILE_PATH_LITERAL("/app/chromium/extensions/policies"));
++        break;
++      }
++#endif
+       cur = base::FilePath(policy::kPolicyPath);
+       break;
+     }
+@@ -557,7 +569,13 @@ bool PathProvider(int key, base::FilePath* result) {
+ #endif
+ #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+     case chrome::DIR_STANDALONE_EXTERNAL_EXTENSIONS: {
+-      cur = base::FilePath(kFilepathSinglePrefExtensions);
++      if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
++          sandbox::FlatpakSandbox::SandboxLevel::kNone) {
++        cur = base::FilePath(
++            FILE_PATH_LITERAL("/app/chromium/extensions/extensions"));
++      } else {
++        cur = base::FilePath(kFilepathSinglePrefExtensions);
++      }
+       break;
+     }
+ #endif
+@@ -604,6 +622,12 @@ bool PathProvider(int key, base::FilePath* result) {
+           "/Library/Application Support/Chromium/NativeMessagingHosts"));
+ #endif
+ #else  // BUILDFLAG(IS_MAC)
++      if (sandbox::FlatpakSandbox::GetInstance()->GetSandboxLevel() >
++          sandbox::FlatpakSandbox::SandboxLevel::kNone) {
++        cur = base::FilePath(FILE_PATH_LITERAL(
++            "/app/chromium/extensions/native-messaging-hosts"));
++        break;
++      }
+ #if BUILDFLAG(GOOGLE_CHROME_BRANDING)
+       cur = base::FilePath(
+           FILE_PATH_LITERAL("/etc/opt/chrome/native-messaging-hosts"));
+-- 
+2.46.1
+

SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch

@@ -0,0 +1,326 @@
+From 0446b3432c90bbab893c7bde22a5e664e14753af Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Tue, 17 Nov 2020 13:00:39 -0600
+Subject: [PATCH] flatpak: Expose Widevine into the sandbox
+
+---
+ .../zygote_host/zygote_host_impl_linux.cc     | 54 +++++++++++++-
+ sandbox/linux/services/flatpak_sandbox.cc     | 74 ++++++++++++++-----
+ sandbox/linux/services/flatpak_sandbox.h      | 27 ++++++-
+ 3 files changed, 131 insertions(+), 24 deletions(-)
+
+diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
+index 1703fb6ade044..3e8eb87981230 100644
+--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
++++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
+@@ -9,7 +9,10 @@
+ #include <sys/types.h>
+ 
+ #include "base/files/file_enumerator.h"
++#include "base/files/file_util.h"
+ #include "base/logging.h"
++#include "base/nix/xdg_util.h"
++#include "base/path_service.h"
+ #include "base/posix/unix_domain_socket.h"
+ #include "base/process/kill.h"
+ #include "base/process/launch.h"
+@@ -18,9 +21,12 @@
+ #include "base/types/fixed_array.h"
+ #include "build/build_config.h"
+ #include "build/chromeos_buildflags.h"
++#include "chrome/common/chrome_paths.h"  // nogncheck
+ #include "content/common/zygote/zygote_commands_linux.h"
+ #include "content/common/zygote/zygote_communication_linux.h"
+ #include "content/common/zygote/zygote_handle_impl_linux.h"
++#include "content/public/common/cdm_info.h"
++#include "content/public/common/content_client.h"
+ #include "content/public/common/zygote/zygote_handle.h"
+ #include "sandbox/linux/services/credentials.h"
+ #include "sandbox/linux/services/flatpak_sandbox.h"
+@@ -29,6 +35,7 @@
+ #include "sandbox/linux/suid/common/sandbox.h"
+ #include "sandbox/policy/linux/sandbox_linux.h"
+ #include "sandbox/policy/switches.h"
++#include "third_party/widevine/cdm/buildflags.h"  // nogncheck
+ 
+ #if BUILDFLAG(IS_CHROMEOS)
+ #include "content/common/zygote/zygote_communication_linux.h"
+@@ -193,8 +200,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
+   if (is_sandboxed_zygote && use_namespace_sandbox_) {
+     process = sandbox::NamespaceSandbox::LaunchProcess(*cmd_line, options);
+   } else if (is_sandboxed_zygote && use_flatpak_sandbox_) {
+-    process = sandbox::FlatpakSandbox::GetInstance()->LaunchProcess(*cmd_line,
+-                                                                    options);
++    sandbox::FlatpakSandbox::SpawnOptions spawn_options;
++
++#if BUILDFLAG(ENABLE_LIBRARY_CDMS)
++    // Expose the CDM paths into the sandbox. This is similar to PreSandboxInit
++    // in content_main_runner_impl.cc.
++    std::vector<CdmInfo> cdms;
++    GetContentClient()->AddContentDecryptionModules(&cdms, nullptr);
++    for (const auto& cdm : cdms) {
++      if (!spawn_options.ExposePathRo(cdm.path)) {
++        LOG(ERROR) << "Failed to expose CDM module";
++      }
++    }
++#endif
++
++#if BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
++    // Make sure we also expose the full Widevine CDM folder so it can be
++    // detected.
++    // TODO: Remove the explicit dependencies on chrome::.
++    base::FilePath widevine_cdm_path;
++    if (!base::PathService::Get(chrome::DIR_COMPONENT_UPDATED_WIDEVINE_CDM,
++                                &widevine_cdm_path)) {
++      LOG(ERROR) << "Failed to get Widevine CDM folder for sandbox forwarding";
++    }
++
++    LOG(INFO) << "Widevine CDM path IS: " << widevine_cdm_path;
++
++    if (!widevine_cdm_path.empty() && base::PathExists(widevine_cdm_path)) {
++      if (!spawn_options.ExposePathRo(widevine_cdm_path)) {
++        LOG(ERROR) << "Failed to expose updated Widevine CDM path";
++      }
++    }
++
++    // The Widevine data is found relative to $XDG_CONFIG_HOME, which is not set
++    // by default when running a sandboxed process.
++    auto env = base::Environment::Create();
++    base::FilePath xdgConfigHome = base::nix::GetXDGDirectory(
++        env.get(), base::nix::kXdgConfigHomeEnvVar, nullptr);
++    if (!xdgConfigHome.empty()) {
++      options.environment[base::nix::kXdgConfigHomeEnvVar] =
++          xdgConfigHome.value();
++    }
++#endif
++
++    process = sandbox::FlatpakSandbox::GetInstance()->LaunchProcess(
++        *cmd_line, options, spawn_options);
+   } else {
+     process = base::LaunchProcess(*cmd_line, options);
+   }
+diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
+index 2a915a5b9fa11..ed8d4c0556f63 100644
+--- a/sandbox/linux/services/flatpak_sandbox.cc
++++ b/sandbox/linux/services/flatpak_sandbox.cc
+@@ -4,6 +4,7 @@
+ 
+ #include "sandbox/linux/services/flatpak_sandbox.h"
+ 
++#include <fcntl.h>
+ #include <signal.h>
+ #include <sstream>
+ #include <string>
+@@ -92,6 +93,18 @@ enum FlatpakSpawnSandboxFlags {
+   kFlatpakSpawnSandbox_ShareA11yBus = 1 << 4,
+ };
+ 
++bool FlatpakSandbox::SpawnOptions::ExposePathRo(base::FilePath path) {
++  base::ScopedFD fd(
++      HANDLE_EINTR(open(path.value().c_str(), O_PATH | O_NOFOLLOW)));
++  if (!fd.is_valid()) {
++    PLOG(ERROR) << "Failed to expose path " << path;
++    return false;
++  }
++
++  sandbox_expose_ro.push_back(std::move(fd));
++  return true;
++}
++
+ FlatpakSandbox::FlatpakSandbox()
+     : bus_thread_("FlatpakPortalBus"), process_info_cv_(&process_info_lock_) {}
+ 
+@@ -168,8 +181,9 @@ bool FlatpakSandbox::IsPidSandboxed(base::ProcessId relative_pid) {
+ 
+ base::Process FlatpakSandbox::LaunchProcess(
+     const base::CommandLine& cmdline,
+-    const base::LaunchOptions& launch_options) {
+-  base::ProcessId external_pid = Spawn(cmdline, launch_options);
++    const base::LaunchOptions& launch_options,
++    const SpawnOptions& spawn_options /*= {}*/) {
++  base::ProcessId external_pid = Spawn(cmdline, launch_options, spawn_options);
+   if (external_pid == base::kNullProcessId) {
+     return base::Process();
+   }
+@@ -363,9 +377,9 @@ void FlatpakSandbox::OnSpawnExitedSignal(dbus::Signal* signal) {
+   process_info_cv_.Broadcast();
+ }
+ 
+-base::ProcessId FlatpakSandbox::Spawn(
+-    const base::CommandLine& cmdline,
+-    const base::LaunchOptions& launch_options) {
++base::ProcessId FlatpakSandbox::Spawn(const base::CommandLine& cmdline,
++                                      const base::LaunchOptions& launch_options,
++                                      const SpawnOptions& spawn_options) {
+   base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
+                                                 base::BlockingType::MAY_BLOCK);
+   base::ScopedAllowBaseSyncPrimitives allow_wait;
+@@ -391,24 +405,26 @@ base::ProcessId FlatpakSandbox::Spawn(
+       FROM_HERE,
+       base::BindOnce(&FlatpakSandbox::SpawnOnBusThread, base::Unretained(this),
+                      base::Unretained(&external_pid), base::Unretained(&event),
+-                     cmdline, launch_options));
++                     base::Unretained(&cmdline),
++                     base::Unretained(&launch_options),
++                     base::Unretained(&spawn_options)));
+   event.Wait();
+ 
+   return external_pid;
+ }
+ 
+-void FlatpakSandbox::SpawnOnBusThread(
+-    base::ProcessId* out_external_pid,
+-    base::WaitableEvent* event,
+-    const base::CommandLine& cmdline,
+-    const base::LaunchOptions& launch_options) {
++void FlatpakSandbox::SpawnOnBusThread(base::ProcessId* out_external_pid,
++                                      base::WaitableEvent* event,
++                                      const base::CommandLine* cmdline,
++                                      const base::LaunchOptions* launch_options,
++                                      const SpawnOptions* spawn_options) {
+   dbus::ObjectProxy* object_proxy = GetPortalObjectProxy();
+   dbus::MethodCall method_call(kFlatpakPortalInterfaceName, "Spawn");
+   dbus::MessageWriter writer(&method_call);
+ 
+   const base::FilePath& current_directory =
+-      !launch_options.current_directory.empty()
+-          ? launch_options.current_directory
++      !launch_options->current_directory.empty()
++          ? launch_options->current_directory
+           // Change to /app since it's guaranteed to always be present in
+           // the sandbox.
+           : kFlatpakAppPath;
+@@ -417,7 +433,7 @@ void FlatpakSandbox::SpawnOnBusThread(
+   dbus::MessageWriter argv_writer(nullptr);
+   writer.OpenArray("ay", &argv_writer);
+ 
+-  for (const std::string& arg : cmdline.argv()) {
++  for (const std::string& arg : cmdline->argv()) {
+     WriteStringAsByteArray(&argv_writer, arg);
+   }
+ 
+@@ -439,7 +455,7 @@ void FlatpakSandbox::SpawnOnBusThread(
+   WriteFdPairMap(&fds_writer, STDOUT_FILENO, STDOUT_FILENO);
+   WriteFdPairMap(&fds_writer, STDERR_FILENO, STDERR_FILENO);
+ 
+-  for (const auto& pair : launch_options.fds_to_remap) {
++  for (const auto& pair : launch_options->fds_to_remap) {
+     WriteFdPairMap(&fds_writer, pair.first, pair.second);
+   }
+ 
+@@ -448,7 +464,7 @@ void FlatpakSandbox::SpawnOnBusThread(
+   dbus::MessageWriter env_writer(nullptr);
+   writer.OpenArray("{ss}", &env_writer);
+ 
+-  for (const auto& pair : launch_options.environment) {
++  for (const auto& pair : launch_options->environment) {
+     dbus::MessageWriter entry_writer(nullptr);
+     env_writer.OpenDictEntry(&entry_writer);
+ 
+@@ -472,11 +488,11 @@ void FlatpakSandbox::SpawnOnBusThread(
+ #else
+ #endif
+ 
+-  if (launch_options.clear_environment) {
++  if (launch_options->clear_environment) {
+     spawn_flags |= kFlatpakSpawn_ClearEnvironment;
+   }
+ 
+-  if (launch_options.kill_on_parent_death) {
++  if (launch_options->kill_on_parent_death) {
+     spawn_flags |= kFlatpakSpawn_WatchBus;
+   }
+ 
+@@ -485,6 +501,28 @@ void FlatpakSandbox::SpawnOnBusThread(
+   dbus::MessageWriter options_writer(nullptr);
+   writer.OpenArray("{sv}", &options_writer);
+ 
++  if (!spawn_options->sandbox_expose_ro.empty()) {
++    dbus::MessageWriter entry_writer(nullptr);
++    options_writer.OpenDictEntry(&entry_writer);
++
++    entry_writer.AppendString("sandbox-expose-fd-ro");
++
++    dbus::MessageWriter variant_writer(nullptr);
++    entry_writer.OpenVariant("ah", &variant_writer);
++
++    dbus::MessageWriter fds_writer(nullptr);
++    variant_writer.OpenArray("h", &fds_writer);
++
++    for (const base::ScopedFD& fd : spawn_options->sandbox_expose_ro) {
++      CHECK(fd.is_valid()) << "Invalid spawn expose fd";
++      fds_writer.AppendFileDescriptor(fd.get());
++    }
++
++    variant_writer.CloseContainer(&fds_writer);
++    entry_writer.CloseContainer(&variant_writer);
++    options_writer.CloseContainer(&entry_writer);
++  }
++
+   if (sandbox_flags != 0) {
+     dbus::MessageWriter entry_writer(nullptr);
+     options_writer.OpenDictEntry(&entry_writer);
+diff --git a/sandbox/linux/services/flatpak_sandbox.h b/sandbox/linux/services/flatpak_sandbox.h
+index 167bbc85945ad..de8e7165b4573 100644
+--- a/sandbox/linux/services/flatpak_sandbox.h
++++ b/sandbox/linux/services/flatpak_sandbox.h
+@@ -9,6 +9,8 @@
+ #include "base/compiler_specific.h"
+ #include "base/containers/flat_map.h"
+ #include "base/containers/flat_set.h"
++#include "base/files/file_path.h"
++#include "base/files/scoped_file.h"
+ #include "base/no_destructor.h"
+ #include "base/process/kill.h"
+ #include "base/process/launch.h"
+@@ -34,6 +36,20 @@ namespace sandbox {
+ // it is known inside the sandbox's PID namespace.
+ class SANDBOX_EXPORT FlatpakSandbox {
+  public:
++  class SpawnOptions {
++   public:
++    SpawnOptions() = default;
++    SpawnOptions(const SpawnOptions& other) = delete;
++    SpawnOptions(SpawnOptions&& other) = delete;
++
++    bool ExposePathRo(base::FilePath path);
++
++   private:
++    friend class FlatpakSandbox;
++
++    std::vector<base::ScopedFD> sandbox_expose_ro;
++  };
++
+   static FlatpakSandbox* GetInstance();
+ 
+   // Represents the level of sandboxing inside a Flatpak. kNone means this is
+@@ -55,7 +71,8 @@ class SANDBOX_EXPORT FlatpakSandbox {
+   // GetRelativePid. This is the reason why a vanilla ProcessId is returned
+   // rather than a base::Process instance.
+   base::Process LaunchProcess(const base::CommandLine& cmdline,
+-                              const base::LaunchOptions& launch_options);
++                              const base::LaunchOptions& launch_options,
++                              const SpawnOptions& spawn_options = {});
+ 
+   // Indefinitely waits for the given process and fills the exit code pointer
+   // if given and non-null. Returns false on wait failure.
+@@ -84,11 +101,13 @@ class SANDBOX_EXPORT FlatpakSandbox {
+   void OnSpawnExitedSignal(dbus::Signal* signal);
+ 
+   base::ProcessId Spawn(const base::CommandLine& cmdline,
+-                        const base::LaunchOptions& launch_options);
++                        const base::LaunchOptions& launch_options,
++                        const SpawnOptions& spawn_options);
+   void SpawnOnBusThread(base::ProcessId* out_external_pid,
+                         base::WaitableEvent* event,
+-                        const base::CommandLine& cmdline,
+-                        const base::LaunchOptions& launch_options);
++                        const base::CommandLine* cmdline,
++                        const base::LaunchOptions* launch_options,
++                        const SpawnOptions* spawn_options);
+   void OnSpawnResponse(base::ProcessId* out_external_pid,
+                        base::WaitableEvent* event,
+                        dbus::Response* response,
+-- 
+2.46.1
+

SPECS/chromium.spec

@@ -40,7 +40,7 @@
 	ninja -j %{numjobs} -C '%1' '%2'
 
 # enable|disable headless client build
-%if %{with gost}
+%if %{with gost} || 0%{?flatpak}
 %global build_headless 0
 %else
 %global build_headless 1
@@ -55,7 +55,7 @@
 %endif
 
 # enable|disable headless client build
-%if %{with gost}
+%if %{with gost} || 0%{?flatpak}
 %global build_chromedriver 0
 %else
 %global build_chromedriver 1
@@ -478,6 +478,12 @@ Patch412: add-ppc64-architecture-to-extensions.diff
 Patch413: fix-unknown-warning-option-messages.diff
 Patch414: cargo-add-ppc64.diff
 
+# flatpak sandbox patches from
+# https://github.com/flathub/org.chromium.Chromium/tree/master/patches/chromium
+Patch416: flatpak-Add-initial-sandbox-support.patch
+Patch417: flatpak-Adjust-paths-for-the-sandbox.patch
+Patch418: flatpak-Expose-Widevine-into-the-sandbox.patch
+
 # Old Yandex patch
 Patch600: 0001-Yandex-as-default-search-engine.patch
 # MSVSphere
@@ -739,7 +745,7 @@ BuildRequires: libXNVCtrl-devel
 %endif
 
 # One of the python scripts invokes git to look for a hash. So helpful.
-BuildRequires:	/usr/bin/git
+BuildRequires:	git-core
 BuildRequires:	hwdata
 BuildRequires:	kernel-headers
 %if ! %{bundlelibevent}
@@ -858,7 +864,7 @@ Requires: nss-mdns%{_isa}
 # GTK modules it expects to find for some reason.
 Requires: libcanberra-gtk3%{_isa}
 
-%if 0%{?fedora}
+%if 0%{?fedora} && %{undefined flatpak}
 # This enables support for u2f tokens
 Requires: u2f-hidraw-policy
 %endif
@@ -999,9 +1005,11 @@ Provides: bundled(xdg-mime)
 Provides: bundled(xdg-user-dirs)
 # Provides: bundled(zlib) = 1.2.11
 
+%if %{undefined flatpak}
 # For selinux scriptlet
 Requires(post): /usr/sbin/semanage
 Requires(post): /usr/sbin/restorecon
+%endif
 
 # Package with libffmpeg.so
 Requires: %{name}-ffmpeg%{_isa} = %{version}-%{release}
@@ -1281,6 +1289,12 @@ sed -i 's/std::string data_dir_basename = "chromium"/std::string data_dir_basena
 %patch -P414 -p1 -b .rust-add-ppc64-case
 %endif
 
+%if 0%{?flatpak}
+%patch -P416 -p1 -b .flatpak-initial-sandbox
+%patch -P417 -p1 -b .flatpak-sandbox-paths
+%patch -P418 -p1 -b .flatpak-widevine
+%endif
+
 %patch -P601 -p1 -b .Added-Russian-description-and-summary-for-gnome-soft
 %if ! %{with gost}
 %patch -P602 -p1 -b .Yandex-as-default-search-engine
@@ -1333,12 +1347,12 @@ popd
 popd
 %else
   mkdir -p third_party/node/linux/node-linux-x64/bin
-  ln -sf %{_bindir}/node third_party/node/linux/node-linux-x64/bin/node
+  ln -s $(which node) third_party/node/linux/node-linux-x64/bin/node
 %endif
 
 # Get rid of the bundled esbuild
 %if 0%{?fedora}
-  ln -sf %{_bindir}/esbuild third_party/devtools-frontend/src/third_party/esbuild/esbuild
+  ln -sf $(which esbuild) third_party/devtools-frontend/src/third_party/esbuild/esbuild
 %else
   %ifarch x86_64
     tar -zxf %{SOURCE14} --directory %{_tmppath}
@@ -1353,7 +1367,7 @@ popd
 rm -rf buildtools/third_party/eu-strip/bin/eu-strip
   
 # Replace it with a symlink to the Fedora copy
-ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip
+ln -s $(which eu-strip) buildtools/third_party/eu-strip/bin/eu-strip
 
 %if %{bundlelibusbx}
 # no hackity hack hack
@@ -1361,7 +1375,7 @@ ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip
 # hackity hack hack
 rm -rf third_party/libusb/src/libusb/libusb.h
 # we _shouldn't need to do this, but it looks like we do.
-cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h
+cp -a $(pkg-config --variable=includedir libusb-1.0)/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h
 %endif
 
 # Hard code extra version
@@ -1428,11 +1442,8 @@ export RUSTC_BOOTSTRAP=1
 # set rustc version
 rustc_version="$(rustc --version)"
 # set rust bindgen root
-%if 0%{?rhel} == 8
+rust_bindgen_root="$(which bindgen | sed 's#/bin/.*##')"
-rust_bindgen_root="$PWD%{_prefix}"
+rust_sysroot_absolute="$(rustc --print sysroot)"
-%else
-rust_bindgen_root="%{_prefix}"
-%endif
 
 # set clang version
 clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)"
@@ -1476,7 +1487,7 @@ CHROMIUM_CORE_GN_DEFINES+=' clang_use_chrome_plugins=false'
 CHROMIUM_CORE_GN_DEFINES+=' use_lld=true'
 
 # enable system rust
-CHROMIUM_CORE_GN_DEFINES+=' rust_sysroot_absolute="%{_prefix}"'
+CHROMIUM_CORE_GN_DEFINES+=" rust_sysroot_absolute=\"$rust_sysroot_absolute\""
 CHROMIUM_CORE_GN_DEFINES+=" rust_bindgen_root=\"$rust_bindgen_root\""
 CHROMIUM_CORE_GN_DEFINES+=" rustc_version=\"$rustc_version\""
 
@@ -1523,13 +1534,13 @@ CHROMIUM_BROWSER_GN_DEFINES+=' rtc_use_h264=true'
 CHROMIUM_BROWSER_GN_DEFINES+=' use_kerberos=true'
 
 %if %{use_qt}
-CHROMIUM_BROWSER_GN_DEFINES+=' use_qt=true moc_qt5_path="%{_libdir}/qt5/bin/"'
+CHROMIUM_BROWSER_GN_DEFINES+=" use_qt=true moc_qt5_path=\"$(%{_qt5_qmake} -query QT_HOST_BINS)\""
-%else
+HROMIUM_BROWSER_GN_DEFINES+="
 CHROMIUM_BROWSER_GN_DEFINES+=' use_qt=false'
 %endif
 
 %if %{use_qt6}
-CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=true moc_qt6_path="%{_libdir}/qt6/libexec/"'
+CHROMIUM_BROWSER_GN_DEFINES+=" use_qt6=true moc_qt6_path=\"$(%{_qt6_qmake} -query QT_HOST_LIBEXECS)\""
 %else
 CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false'
 %endif
@@ -1695,7 +1706,7 @@ fi
 %if %{bootstrap}
 tools/gn/bootstrap/bootstrap.py --gn-gen-args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES"
 %else
-mkdir -p %{chromebuilddir} && cp -a %{_bindir}/gn %{chromebuilddir}/
+mkdir -p %{chromebuilddir} && cp -a $(which gn) %{chromebuilddir}/
 %endif
 
 %{chromebuilddir}/gn --script-executable=%{chromium_pybin} gen --args="$CHROMIUM_CORE_GN_DEFINES $CHROMIUM_BROWSER_GN_DEFINES" %{chromebuilddir}
@@ -1933,6 +1944,7 @@ cp -a %{SOURCE9} %{buildroot}%{_datadir}/gnome-control-center/default-apps/
 # README.fedora
 cp %{SOURCE1} .
 
+%if %{undefined flatpak}
 %post
 # Set SELinux labels - semanage itself will adjust the lib directory naming
 # But only do it when selinux is enabled, otherwise, it gets noisy.
@@ -1942,6 +1954,7 @@ if selinuxenabled; then
 	semanage fcontext -a -t chrome_sandbox_exec_t /usr/lib/chrome-sandbox &>/dev/null || :
 	restorecon -R -v %{chromium_path}/%{chromium_browser_channel} &>/dev/null || :
 fi
+%endif
 
 %if %{build_remoting}
 %pretrans -n chrome-remote-desktop -p <lua>