diff --git a/.chromium.metadata b/.chromium.metadata index 5182a259..7d3fe6bc 100644 --- a/.chromium.metadata +++ b/.chromium.metadata @@ -1,3 +1,3 @@ -23342eb4eb57622d5c2bf3fc13d5cafdd67ace39 SOURCES/chromium-133.0.6943.98-clean.tar.xz +1fdda24ddc7131e035787ae0517f34d63877ca90 SOURCES/chromium-133.0.6943.126-clean.tar.xz 7e5d2c7864c5c83ec789b59c77cd9c20d2594916 SOURCES/linux-arm64-0.19.2.tgz dea187019741602d57aaf189a80abba261fbd2aa SOURCES/linux-x64-0.19.2.tgz diff --git a/.gitignore b/.gitignore index b2f9a95b..60145138 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/chromium-133.0.6943.98-clean.tar.xz +SOURCES/chromium-133.0.6943.126-clean.tar.xz SOURCES/linux-arm64-0.19.2.tgz SOURCES/linux-x64-0.19.2.tgz diff --git a/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch b/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch index e873023c..d0e56f4e 100644 --- a/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch +++ b/SOURCES/chromium-133-workaround-system-ffmpeg-whitelist.patch @@ -1,21 +1,34 @@ -diff -up chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc ---- chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me 2025-02-09 19:57:35.117198035 +0100 -+++ chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc 2025-02-09 22:57:26.429570196 +0100 +diff -up chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc +--- chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than 2025-02-13 11:59:31.035724118 +0100 ++++ chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc 2025-02-14 10:39:07.825746076 +0100 @@ -76,6 +76,8 @@ const char* GetAllowedVideoDecoders() { void ApplyCodecContextSecuritySettings(AVCodecContext* codec_context) { // Future versions of ffmpeg may copy the allow list from the format // context. -+// Workaround for codec whitelist with system ffmpeg ++ // Workaround for codec whitelist with system ffmpeg +#if 0 if (!codec_context->codec_whitelist) { // Note: FFmpeg will try to free this string, so we must duplicate it. codec_context->codec_whitelist = -@@ -83,7 +85,7 @@ void ApplyCodecContextSecuritySettings(A +@@ -83,6 +85,7 @@ void ApplyCodecContextSecuritySettings(A ? GetAllowedAudioDecoders() : GetAllowedVideoDecoders()); } -- +#endif + // Note: This is security sensitive. FFmpeg may not always continue safely // in the presence of errors. See https://crbug.com/379418979 - if (base::FeatureList::IsEnabled(kStrictFFmpegCodecs)) { +diff -up chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc +--- chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than 2025-02-14 10:14:13.360398193 +0100 ++++ chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc 2025-02-14 10:36:46.762332912 +0100 +@@ -131,8 +131,10 @@ FFmpegGlue::FFmpegGlue(FFmpegURLProtocol + // memory usage. + // + // Note: FFmpeg will try to free these strings, so we must duplicate them. ++#if 0 + format_context_->codec_whitelist = av_strdup(GetAllowedAudioDecoders()); + format_context_->format_whitelist = av_strdup(GetAllowedDemuxers()); ++#endif + } + + bool FFmpegGlue::OpenContext(bool is_local_file) { diff --git a/SOURCES/chromium-browser.sh b/SOURCES/chromium-browser.sh index 4ed62f5b..639e8680 100755 --- a/SOURCES/chromium-browser.sh +++ b/SOURCES/chromium-browser.sh @@ -48,4 +48,4 @@ exec < /dev/null exec > >(exec cat) exec 2> >(exec cat >&2) -exec -a "$0" "$HERE/@@CHROMIUM_BROWSER_CHANNEL@@" $CHROMIUM_FLAGS $CHROMIUM_DISTRO_FLAGS "$@" +exec -a "$0" "$HERE/chromium-browser" $CHROMIUM_FLAGS $CHROMIUM_DISTRO_FLAGS "$@" diff --git a/SOURCES/chromium-latest.py b/SOURCES/chromium-latest.py index e3f5888f..dc94fd74 100755 --- a/SOURCES/chromium-latest.py +++ b/SOURCES/chromium-latest.py @@ -1,5 +1,5 @@ #!/usr/bin/python3 -# Copyright 2021-2024, Than Ngo +# Copyright 2021-2025, Than Ngo # Copyright 2010,2015-2019 Tom Callaway # Copyright 2013-2016 Tomas Popela # Permission is hereby granted, free of charge, to any person obtaining @@ -243,6 +243,9 @@ if __name__ == '__main__': parser_add_argument( '--ffmpegclean', action='store_true', help='Get the latest Chromium release from given channel and cleans ffmpeg sources from proprietary stuff') + parser_add_argument( + '--ffmpegremove', action='store_true', + help='Get the latest Chromium release from given channel and remove ffmpeg sources') parser_add_argument( '--chrome', action='store_true', help='Get the latest Chrome rpms for the given channel') @@ -342,7 +345,14 @@ if __name__ == '__main__': print("Cleaning ffmpeg from proprietary things...") os.system("./clean_ffmpeg.sh %s %d" % (latest_dir, 0 if args.ffmpegarm else 1)) print("Cleaning openh264 from proprietary things...") - os.system("find %s/third_party/openh264/src -type f -not -name '*.h' -delete " % latest_dir) + os.system("find %s/third_party/openh264/* -type d | xargs rm -rf" % latest_dir) + print("Done!") + + if (args.ffmpegremove): + print("Removing ffmpeg source...") + os.system("find %s/third_party/ffmpeg/* -type d | xargs rm -rf" % latest_dir) + print("Cleaning openh264 from proprietary things...") + os.system("find %s/third_party/openh264/* -type d | xargs rm -rf" % latest_dir) print("Done!") if (not args.prep): diff --git a/SOURCES/flatpak-Add-initial-sandbox-support.patch b/SOURCES/flatpak-Add-initial-sandbox-support.patch index dae2d943..73f39b12 100644 --- a/SOURCES/flatpak-Add-initial-sandbox-support.patch +++ b/SOURCES/flatpak-Add-initial-sandbox-support.patch @@ -1,4 +1,4 @@ -From ab11528f26a212417b0b6084b52c02e992fe43f7 Mon Sep 17 00:00:00 2001 +From e29f4b52c8770033504794b934bc14b1d7261ef1 Mon Sep 17 00:00:00 2001 From: Ryan Gonzalez Date: Tue, 17 Mar 2020 13:18:27 -0500 Subject: [PATCH] flatpak: Add initial sandbox support @@ -42,10 +42,10 @@ index 9056030523807..2c13d0ad5f1c7 100644 /.externalToolBuilders/ /.settings/ diff --git a/base/threading/thread_restrictions.h b/base/threading/thread_restrictions.h -index 149838be725f2..81034acc71e97 100644 +index e029700325e79..14ef172d37087 100644 --- a/base/threading/thread_restrictions.h +++ b/base/threading/thread_restrictions.h -@@ -407,6 +407,9 @@ class ScopedAllowThreadJoinForWebRtcTransport; +@@ -409,6 +409,9 @@ class ScopedAllowThreadJoinForWebRtcTransport; namespace rlz_lib { class FinancialPing; } @@ -55,7 +55,7 @@ index 149838be725f2..81034acc71e97 100644 namespace service_manager { class ServiceProcessLauncher; } -@@ -649,6 +652,7 @@ class BASE_EXPORT ScopedAllowBlocking { +@@ -646,6 +649,7 @@ class BASE_EXPORT ScopedAllowBlocking { friend class remoting:: ScopedBypassIOThreadRestrictions; // http://crbug.com/1144161 friend class remoting::ScopedAllowBlockingForCrashReporting; @@ -63,7 +63,7 @@ index 149838be725f2..81034acc71e97 100644 friend class ui::DrmDisplayHostManager; friend class ui::ScopedAllowBlockingForGbmSurface; friend class ui::SelectFileDialogLinux; -@@ -792,6 +796,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives { +@@ -788,6 +792,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives { friend class rlz_lib::FinancialPing; friend class shell_integration_linux:: LaunchXdgUtilityScopedAllowBaseSyncPrimitives; @@ -72,7 +72,7 @@ index 149838be725f2..81034acc71e97 100644 friend class syncer::HttpBridge; friend class syncer::GetLocalChangesRequest; diff --git a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts -index f6d2f3f0bc41c..fcc58c6735eaa 100644 +index 1d2c06f540674..9946482709bbf 100644 --- a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts +++ b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts @@ -140,6 +140,7 @@ function addGoodBadRow(name: string, result: boolean): HTMLElement { @@ -94,10 +94,10 @@ index f6d2f3f0bc41c..fcc58c6735eaa 100644 addStatusRow('Layer 1 Sandbox', layer1SandboxType, layer1SandboxCssClass); diff --git a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc -index 82aa27787a5e0..32bf674f33da6 100644 +index 1174a704b8126..e7fd738b705fb 100644 --- a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc +++ b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc -@@ -20,6 +20,7 @@ +@@ -15,6 +15,7 @@ #include "content/public/browser/web_contents.h" #include "content/public/browser/web_ui.h" #include "content/public/browser/web_ui_data_source.h" @@ -105,7 +105,7 @@ index 82aa27787a5e0..32bf674f33da6 100644 #include "services/network/public/mojom/content_security_policy.mojom.h" #if BUILDFLAG(IS_WIN) -@@ -46,6 +47,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) { +@@ -41,6 +42,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) { source->AddBoolean("suid", status & sandbox::policy::SandboxLinux::kSUID); source->AddBoolean("userNs", status & sandbox::policy::SandboxLinux::kUserNS); @@ -114,7 +114,7 @@ index 82aa27787a5e0..32bf674f33da6 100644 source->AddBoolean("pidNs", status & sandbox::policy::SandboxLinux::kPIDNS); source->AddBoolean("netNs", status & sandbox::policy::SandboxLinux::kNetNS); source->AddBoolean("seccompBpf", -@@ -63,7 +66,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) { +@@ -58,7 +61,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) { // Require either the setuid or namespace sandbox for our first-layer sandbox. bool good_layer1 = (status & sandbox::policy::SandboxLinux::kSUID || @@ -125,10 +125,10 @@ index 82aa27787a5e0..32bf674f33da6 100644 status & sandbox::policy::SandboxLinux::kNetNS; // A second-layer sandbox is also required to be adequately sandboxed. diff --git a/content/browser/child_process_host_impl.cc b/content/browser/child_process_host_impl.cc -index 95df576580a9e..8d5e0694660b6 100644 +index 583a386414590..c1cf93992da5b 100644 --- a/content/browser/child_process_host_impl.cc +++ b/content/browser/child_process_host_impl.cc -@@ -45,6 +45,7 @@ +@@ -46,6 +46,7 @@ #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) #include "base/linux_util.h" @@ -136,7 +136,7 @@ index 95df576580a9e..8d5e0694660b6 100644 #elif BUILDFLAG(IS_MAC) #include "base/apple/foundation_util.h" #include "content/browser/mac_helpers.h" -@@ -78,7 +79,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) { +@@ -72,7 +73,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) { #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) // Use /proc/self/exe rather than our known binary path so updates // can't swap out the binary from underneath us. @@ -151,7 +151,7 @@ index 95df576580a9e..8d5e0694660b6 100644 } #endif diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc -index 8eca918b65cbe..1703fb6ade044 100644 +index bd1013ccdd503..00f6ff8e13af5 100644 --- a/content/browser/zygote_host/zygote_host_impl_linux.cc +++ b/content/browser/zygote_host/zygote_host_impl_linux.cc @@ -12,6 +12,7 @@ @@ -162,7 +162,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 #include "base/process/memory.h" #include "base/strings/string_number_conversions.h" #include "base/types/fixed_array.h" -@@ -22,6 +23,7 @@ +@@ -21,6 +22,7 @@ #include "content/common/zygote/zygote_handle_impl_linux.h" #include "content/public/common/zygote/zygote_handle.h" #include "sandbox/linux/services/credentials.h" @@ -170,7 +170,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 #include "sandbox/linux/services/namespace_sandbox.h" #include "sandbox/linux/suid/client/setuid_sandbox_host.h" #include "sandbox/linux/suid/common/sandbox.h" -@@ -72,6 +74,7 @@ ZygoteHostImpl::ZygoteHostImpl() +@@ -71,6 +73,7 @@ ZygoteHostImpl::ZygoteHostImpl() : use_namespace_sandbox_(false), use_suid_sandbox_(false), use_suid_sandbox_for_adj_oom_score_(false), @@ -178,7 +178,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 sandbox_binary_(), zygote_pids_lock_(), zygote_pids_() {} -@@ -110,9 +113,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) { +@@ -109,9 +112,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) { sandbox_binary_ = setuid_sandbox_host->GetSandboxBinaryPath().value(); } @@ -194,7 +194,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 use_namespace_sandbox_ = true; } else if (!command_line.HasSwitch( sandbox::policy::switches::kDisableSetuidSandbox) && -@@ -183,10 +189,16 @@ pid_t ZygoteHostImpl::LaunchZygote( +@@ -182,10 +188,16 @@ pid_t ZygoteHostImpl::LaunchZygote( sandbox_host->SetupLaunchEnvironment(); } @@ -215,7 +215,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 CHECK(process.IsValid()) << "Failed to launch zygote process"; dummy_fd.reset(); -@@ -195,7 +207,8 @@ pid_t ZygoteHostImpl::LaunchZygote( +@@ -194,7 +206,8 @@ pid_t ZygoteHostImpl::LaunchZygote( pid_t pid = process.Pid(); @@ -225,7 +225,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 // The namespace and SUID sandbox will execute the zygote in a new // PID namespace, and the main zygote process will then fork from // there. Watch now our elaborate dance to find and validate the -@@ -223,7 +236,11 @@ pid_t ZygoteHostImpl::LaunchZygote( +@@ -222,7 +235,11 @@ pid_t ZygoteHostImpl::LaunchZygote( if (real_pid != pid) { // Reap the sandbox. @@ -238,7 +238,7 @@ index 8eca918b65cbe..1703fb6ade044 100644 } pid = real_pid; } -@@ -274,6 +291,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid, +@@ -273,6 +290,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid, selinux_valid = true; } @@ -250,10 +250,10 @@ index 8eca918b65cbe..1703fb6ade044 100644 if (!base::AdjustOOMScore(pid, score)) PLOG(ERROR) << "Failed to adjust OOM score of renderer with pid " << pid; diff --git a/content/browser/zygote_host/zygote_host_impl_linux.h b/content/browser/zygote_host/zygote_host_impl_linux.h -index 720d823d4a695..ad470963693c4 100644 +index 8ef884a7db6f4..f441900dd6343 100644 --- a/content/browser/zygote_host/zygote_host_impl_linux.h +++ b/content/browser/zygote_host/zygote_host_impl_linux.h -@@ -70,6 +70,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost { +@@ -69,6 +69,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost { bool use_namespace_sandbox_; bool use_suid_sandbox_; bool use_suid_sandbox_for_adj_oom_score_; @@ -262,10 +262,10 @@ index 720d823d4a695..ad470963693c4 100644 // This lock protects the |zygote_pids_| set. diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc -index bdcb36f7eb2fe..239a6462e4b41 100644 +index f2c3b43281d53..9f3f3f6b1bc12 100644 --- a/content/zygote/zygote_linux.cc +++ b/content/zygote/zygote_linux.cc -@@ -127,7 +127,7 @@ bool Zygote::ProcessRequests() { +@@ -126,7 +126,7 @@ bool Zygote::ProcessRequests() { PCHECK(sigaddset(&sigset, SIGCHLD) == 0); PCHECK(sigprocmask(SIG_BLOCK, &sigset, &orig_sigmask) == 0); @@ -274,7 +274,7 @@ index bdcb36f7eb2fe..239a6462e4b41 100644 // Let the ZygoteHost know we are ready to go. // The receiving code is in // content/browser/zygote_host/zygote_host_impl_linux.cc. -@@ -233,6 +233,10 @@ bool Zygote::UsingNSSandbox() const { +@@ -231,6 +231,10 @@ bool Zygote::UsingNSSandbox() const { return sandbox_flags_ & sandbox::policy::SandboxLinux::kUserNS; } @@ -506,7 +506,7 @@ index 0000000000000..22799eb42f782 +#endif diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc new file mode 100644 -index 0000000000000..2a915a5b9fa11 +index 0000000000000..31229fdf59127 --- /dev/null +++ b/sandbox/linux/services/flatpak_sandbox.cc @@ -0,0 +1,576 @@ @@ -570,7 +570,7 @@ index 0000000000000..2a915a5b9fa11 + +void WriteStringAsByteArray(dbus::MessageWriter* writer, + const std::string& str) { -+ writer->AppendArrayOfBytes(base::make_span( ++ writer->AppendArrayOfBytes(base::span( + reinterpret_cast(str.c_str()), str.size() + 1)); +} + @@ -1211,10 +1211,10 @@ index 0000000000000..167bbc85945ad + +#endif // SANDBOX_LINUX_SERVICES_FLATPAK_SANDBOX_H_ diff --git a/sandbox/policy/BUILD.gn b/sandbox/policy/BUILD.gn -index 4fe53b047b9aa..794e1ad1805d8 100644 +index 6767e25821a9a..521c089a5f3df 100644 --- a/sandbox/policy/BUILD.gn +++ b/sandbox/policy/BUILD.gn -@@ -129,6 +129,9 @@ component("policy") { +@@ -116,6 +116,9 @@ component("policy") { "//sandbox/linux:suid_sandbox_client", ] } @@ -1225,7 +1225,7 @@ index 4fe53b047b9aa..794e1ad1805d8 100644 sources += [ "linux/bpf_ime_policy_linux.cc", diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc -index c7313416e6183..0cb8043f0ac72 100644 +index 6249a61685332..a3ae93f9f4191 100644 --- a/sandbox/policy/linux/sandbox_linux.cc +++ b/sandbox/policy/linux/sandbox_linux.cc @@ -37,6 +37,7 @@ @@ -1236,7 +1236,7 @@ index c7313416e6183..0cb8043f0ac72 100644 #include "sandbox/linux/services/libc_interceptor.h" #include "sandbox/linux/services/namespace_sandbox.h" #include "sandbox/linux/services/proc_util.h" -@@ -236,6 +237,9 @@ void SandboxLinux::PreinitializeSandbox() { +@@ -232,6 +233,9 @@ void SandboxLinux::PreinitializeSandbox() { const int yama_status = Yama::GetStatus(); yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) && (yama_status & Yama::STATUS_ENFORCING); @@ -1246,7 +1246,7 @@ index c7313416e6183..0cb8043f0ac72 100644 pre_initialized_ = true; } -@@ -274,6 +278,10 @@ int SandboxLinux::GetStatus() { +@@ -270,6 +274,10 @@ int SandboxLinux::GetStatus() { sandbox_status_flags_ |= kPIDNS; if (NamespaceSandbox::InNewNetNamespace()) sandbox_status_flags_ |= kNetNS; @@ -1291,10 +1291,10 @@ index 0e4f78b9e6cb7..91b638d8a96e0 100644 #if BUILDFLAG(USING_SANITIZER) std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; diff --git a/services/service_manager/service_process_launcher.cc b/services/service_manager/service_process_launcher.cc -index e24a262fe90d5..c20fdbd88a1a6 100644 +index bb99780fb878d..4dcdee34d2338 100644 --- a/services/service_manager/service_process_launcher.cc +++ b/services/service_manager/service_process_launcher.cc -@@ -41,6 +41,7 @@ +@@ -40,6 +40,7 @@ #endif #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) @@ -1302,7 +1302,7 @@ index e24a262fe90d5..c20fdbd88a1a6 100644 #include "sandbox/linux/services/namespace_sandbox.h" #endif -@@ -286,8 +287,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() { +@@ -285,8 +286,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() { return; int rv = -1; @@ -1321,5 +1321,5 @@ index e24a262fe90d5..c20fdbd88a1a6 100644 } -- -2.46.1 +2.47.1 diff --git a/SOURCES/flatpak-Adjust-paths-for-the-sandbox.patch b/SOURCES/flatpak-Adjust-paths-for-the-sandbox.patch index 3b1863de..17c6bcdc 100644 --- a/SOURCES/flatpak-Adjust-paths-for-the-sandbox.patch +++ b/SOURCES/flatpak-Adjust-paths-for-the-sandbox.patch @@ -1,4 +1,4 @@ -From 997c9dc4160c468f26acb851eb65408f41e2a091 Mon Sep 17 00:00:00 2001 +From bf5f40f06d453e0128a9289d2df48d82822f8646 Mon Sep 17 00:00:00 2001 From: Ryan Gonzalez Date: Tue, 25 Aug 2020 19:26:07 -0500 Subject: [PATCH] flatpak: Adjust paths for the sandbox @@ -9,10 +9,10 @@ Subject: [PATCH] flatpak: Adjust paths for the sandbox 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn -index 76cf6a5985990..4044c87b656c4 100644 +index b7338a65d9a68..b13c79e33c3f6 100644 --- a/chrome/common/BUILD.gn +++ b/chrome/common/BUILD.gn -@@ -642,6 +642,10 @@ static_library("constants") { +@@ -633,6 +633,10 @@ static_library("constants") { "//third_party/widevine/cdm:headers", ] } @@ -24,7 +24,7 @@ index 76cf6a5985990..4044c87b656c4 100644 # Use a static library here because many test binaries depend on this but don't diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc -index ec09803ffabcf..ecbc300b99e1d 100644 +index afc13e1b56f78..d707b71ba03ac 100644 --- a/chrome/common/chrome_paths.cc +++ b/chrome/common/chrome_paths.cc @@ -38,6 +38,10 @@ @@ -38,8 +38,8 @@ index ec09803ffabcf..ecbc300b99e1d 100644 #if BUILDFLAG(ENABLE_WIDEVINE) #include "third_party/widevine/cdm/widevine_cdm_common.h" // nogncheck #endif -@@ -537,6 +541,14 @@ bool PathProvider(int key, base::FilePath* result) { - break; +@@ -529,6 +533,14 @@ bool PathProvider(int key, base::FilePath* result) { + #endif #if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_OPENBSD) case chrome::DIR_POLICY_FILES: { +#if defined(OS_LINUX) @@ -53,7 +53,7 @@ index ec09803ffabcf..ecbc300b99e1d 100644 cur = base::FilePath(policy::kPolicyPath); break; } -@@ -557,7 +569,13 @@ bool PathProvider(int key, base::FilePath* result) { +@@ -549,7 +561,13 @@ bool PathProvider(int key, base::FilePath* result) { #endif #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) case chrome::DIR_STANDALONE_EXTERNAL_EXTENSIONS: { @@ -68,7 +68,7 @@ index ec09803ffabcf..ecbc300b99e1d 100644 break; } #endif -@@ -604,6 +622,12 @@ bool PathProvider(int key, base::FilePath* result) { +@@ -596,6 +614,12 @@ bool PathProvider(int key, base::FilePath* result) { "/Library/Application Support/Chromium/NativeMessagingHosts")); #endif #else // BUILDFLAG(IS_MAC) @@ -82,5 +82,5 @@ index ec09803ffabcf..ecbc300b99e1d 100644 cur = base::FilePath( FILE_PATH_LITERAL("/etc/opt/chrome/native-messaging-hosts")); -- -2.46.1 +2.47.1 diff --git a/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch b/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch index b6f953dc..fc2eaf35 100644 --- a/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch +++ b/SOURCES/flatpak-Expose-Widevine-into-the-sandbox.patch @@ -1,4 +1,4 @@ -From 0446b3432c90bbab893c7bde22a5e664e14753af Mon Sep 17 00:00:00 2001 +From 266e6fc37326e45402f826b282b0e0c461614905 Mon Sep 17 00:00:00 2001 From: Ryan Gonzalez Date: Tue, 17 Nov 2020 13:00:39 -0600 Subject: [PATCH] flatpak: Expose Widevine into the sandbox @@ -10,7 +10,7 @@ Subject: [PATCH] flatpak: Expose Widevine into the sandbox 3 files changed, 131 insertions(+), 24 deletions(-) diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc -index 1703fb6ade044..3e8eb87981230 100644 +index 00f6ff8e13af5..cf3019e26bbf2 100644 --- a/content/browser/zygote_host/zygote_host_impl_linux.cc +++ b/content/browser/zygote_host/zygote_host_impl_linux.cc @@ -9,7 +9,10 @@ @@ -24,10 +24,10 @@ index 1703fb6ade044..3e8eb87981230 100644 #include "base/posix/unix_domain_socket.h" #include "base/process/kill.h" #include "base/process/launch.h" -@@ -18,9 +21,12 @@ +@@ -17,9 +20,12 @@ + #include "base/strings/string_number_conversions.h" #include "base/types/fixed_array.h" #include "build/build_config.h" - #include "build/chromeos_buildflags.h" +#include "chrome/common/chrome_paths.h" // nogncheck #include "content/common/zygote/zygote_commands_linux.h" #include "content/common/zygote/zygote_communication_linux.h" @@ -37,7 +37,7 @@ index 1703fb6ade044..3e8eb87981230 100644 #include "content/public/common/zygote/zygote_handle.h" #include "sandbox/linux/services/credentials.h" #include "sandbox/linux/services/flatpak_sandbox.h" -@@ -29,6 +35,7 @@ +@@ -28,6 +34,7 @@ #include "sandbox/linux/suid/common/sandbox.h" #include "sandbox/policy/linux/sandbox_linux.h" #include "sandbox/policy/switches.h" @@ -45,7 +45,7 @@ index 1703fb6ade044..3e8eb87981230 100644 #if BUILDFLAG(IS_CHROMEOS) #include "content/common/zygote/zygote_communication_linux.h" -@@ -193,8 +200,51 @@ pid_t ZygoteHostImpl::LaunchZygote( +@@ -192,8 +199,51 @@ pid_t ZygoteHostImpl::LaunchZygote( if (is_sandboxed_zygote && use_namespace_sandbox_) { process = sandbox::NamespaceSandbox::LaunchProcess(*cmd_line, options); } else if (is_sandboxed_zygote && use_flatpak_sandbox_) { @@ -100,7 +100,7 @@ index 1703fb6ade044..3e8eb87981230 100644 process = base::LaunchProcess(*cmd_line, options); } diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc -index 2a915a5b9fa11..ed8d4c0556f63 100644 +index 31229fdf59127..cabda783879e6 100644 --- a/sandbox/linux/services/flatpak_sandbox.cc +++ b/sandbox/linux/services/flatpak_sandbox.cc @@ -4,6 +4,7 @@ @@ -322,5 +322,5 @@ index 167bbc85945ad..de8e7165b4573 100644 base::WaitableEvent* event, dbus::Response* response, -- -2.46.1 +2.47.1 diff --git a/SPECS/chromium.spec b/SPECS/chromium.spec index e9be77a8..c2c7541b 100644 --- a/SPECS/chromium.spec +++ b/SPECS/chromium.spec @@ -126,12 +126,8 @@ %undefine _debugsource_packages %endif -# %%{nil} for Stable; -beta for Beta; -dev for Devel -# dash in -beta and -dev is intentional ! -%global chromium_channel %{nil} %global chromium_menu_name Chromium -%global chromium_browser_channel chromium-browser%{chromium_channel} -%global chromium_path %{_libdir}/chromium-browser%{chromium_channel} +%global chromium_path %{_libdir}/chromium-browser %global crd_path %{_libdir}/chrome-remote-desktop # We don't want any libs in these directories to generate Provides @@ -270,8 +266,8 @@ %global chromoting_client_id %nil %endif -Name: chromium%{chromium_channel} -Version: 133.0.6943.98 +Name: chromium +Version: 133.0.6943.126 Release: 1%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home @@ -368,7 +364,7 @@ Patch358: chromium-127-rust-clanglib.patch # PowerPC64 LE support # Timothy Pearson's patchset -# https://gitlab.solidsilicon.io/public-development/open-source/chromium/openpower-patches/-/tree/chromium-128/patches/ppc64le +# https://gitlab.raptorengineering.com/raptor-engineering-public/chromium/openpower-patches Patch359: add-ppc64-architecture-string.patch Patch360: 0001-linux-seccomp-bpf-ppc64-glibc-workaround-in-SIGSYS-h.patch Patch361: 0001-sandbox-Enable-seccomp_bpf-for-ppc64.patch @@ -459,7 +455,7 @@ Source0: chromium-%{version}-clean.tar.xz Source1: README.fedora Source2: chromium.conf Source3: chromium-browser.sh -Source4: %{chromium_browser_channel}.desktop +Source4: chromium-browser.desktop # Also, only used if you want to reproduce the clean tarball. Source5: clean_ffmpeg.sh Source6: chromium-latest.py @@ -1251,7 +1247,7 @@ rust_sysroot_absolute="$(rustc --print sysroot)" # set clang version clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)" -%if 0%{?fedora} > 42 +%if 0%{?fedora} > 41 clang_base_path="/usr" %else clang_base_path="$(clang --version | grep InstalledDir | cut -d' ' -f2 | sed 's#/bin##')" @@ -1549,7 +1545,7 @@ mkdir -p %{buildroot}%{_bindir} \ # install system wide chromium config cp -a %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf -cp -a %{SOURCE3} %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh +cp -a %{SOURCE3} %{buildroot}%{chromium_path}/chromium-browser.sh %if ! %{use_vaapi} # remove vaapi flags @@ -1557,22 +1553,11 @@ echo "# system wide chromium flags" > %{buildroot}%{_sysconfdir}/%{name}/%{name} %endif export BUILD_TARGET=`cat /etc/redhat-release` -export CHROMIUM_PATH=%{chromium_path} -export CHROMIUM_BROWSER_CHANNEL=%{chromium_browser_channel} - -sed -i "s|@@BUILD_TARGET@@|$BUILD_TARGET|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh -sed -i "s|@@CHROMIUM_PATH@@|$CHROMIUM_PATH|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh -sed -i "s|@@CHROMIUM_BROWSER_CHANNEL@@|$CHROMIUM_BROWSER_CHANNEL|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh -%if "%{chromium_channel}" == "%{nil}" - sed -i "s|@@EXTRA_FLAGS@@||g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh -%else - # Enable debug outputs for beta and dev channels - export EXTRA_FLAGS="--enable-logging=stderr --v=2" - sed -i "s|@@EXTRA_FLAGS@@|$EXTRA_FLAGS|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh -%endif +sed -i "s|@@BUILD_TARGET@@|$BUILD_TARGET|g" %{buildroot}%{chromium_path}/chromium-browser.sh +sed -i "s|@@EXTRA_FLAGS@@||g" %{buildroot}%{chromium_path}/chromium-browser.sh -ln -s ../..%{chromium_path}/%{chromium_browser_channel}.sh %{buildroot}%{_bindir}/%{chromium_browser_channel} +ln -s ../..%{chromium_path}/chromium-browser.sh %{buildroot}%{_bindir}/chromium-browser mkdir -p %{buildroot}%{_mandir}/man1/ pushd %{chromebuilddir} @@ -1586,12 +1571,12 @@ pushd %{chromebuilddir} cp -a libvulkan.so.1 %{buildroot}%{chromium_path} cp -a vk_swiftshader_icd.json %{buildroot}%{chromium_path} %endif - cp -a chrome %{buildroot}%{chromium_path}/%{chromium_browser_channel} + cp -a chrome %{buildroot}%{chromium_path}/chromium-browser cp -a chrome_sandbox %{buildroot}%{chromium_path}/chrome-sandbox cp -a chrome_crashpad_handler %{buildroot}%{chromium_path}/chrome_crashpad_handler - cp -a ../../chrome/app/resources/manpage.1.in %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1 - sed -i "s|@@PACKAGE@@|%{chromium_browser_channel}|g" %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1 - sed -i "s|@@MENUNAME@@|%{chromium_menu_name}|g" %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1 + cp -a ../../chrome/app/resources/manpage.1.in %{buildroot}%{_mandir}/man1/chromium-browser.1 + sed -i "s|@@PACKAGE@@|chromium-browser|g" %{buildroot}%{_mandir}/man1/chromium-browser.1 + sed -i "s|@@MENUNAME@@|%{chromium_menu_name}|g" %{buildroot}%{_mandir}/man1/chromium-browser.1 # V8 initial snapshots # https://code.google.com/p/chromium/issues/detail?id=421063 @@ -1636,15 +1621,15 @@ mkdir -p %{buildroot}%{_sysconfdir}/chromium/policies/managed mkdir -p %{buildroot}%{_sysconfdir}/chromium/policies/recommended mkdir -p %{buildroot}%{_datadir}/icons/hicolor/256x256/apps -cp -a chrome/app/theme/chromium/product_logo_256.png %{buildroot}%{_datadir}/icons/hicolor/256x256/apps/%{chromium_browser_channel}.png +cp -a chrome/app/theme/chromium/product_logo_256.png %{buildroot}%{_datadir}/icons/hicolor/256x256/apps/chromium-browser.png mkdir -p %{buildroot}%{_datadir}/icons/hicolor/128x128/apps -cp -a chrome/app/theme/chromium/product_logo_128.png %{buildroot}%{_datadir}/icons/hicolor/128x128/apps/%{chromium_browser_channel}.png +cp -a chrome/app/theme/chromium/product_logo_128.png %{buildroot}%{_datadir}/icons/hicolor/128x128/apps/chromium-browser.png mkdir -p %{buildroot}%{_datadir}/icons/hicolor/64x64/apps -cp -a chrome/app/theme/chromium/product_logo_64.png %{buildroot}%{_datadir}/icons/hicolor/64x64/apps/%{chromium_browser_channel}.png +cp -a chrome/app/theme/chromium/product_logo_64.png %{buildroot}%{_datadir}/icons/hicolor/64x64/apps/chromium-browser.png mkdir -p %{buildroot}%{_datadir}/icons/hicolor/48x48/apps -cp -a chrome/app/theme/chromium/product_logo_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/%{chromium_browser_channel}.png +cp -a chrome/app/theme/chromium/product_logo_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/chromium-browser.png mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps -cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/%{chromium_browser_channel}.png +cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/chromium-browser.png # Install the master_preferences file install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/%{name}/ @@ -1652,8 +1637,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/%{name}/ mkdir -p %{buildroot}%{_datadir}/applications/ desktop-file-install --dir %{buildroot}%{_datadir}/applications %{SOURCE4} -install -D -m0644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_datadir}/appdata/%{chromium_browser_channel}.appdata.xml -appstream-util validate-relax --nonet ${RPM_BUILD_ROOT}%{_datadir}/appdata/%{chromium_browser_channel}.appdata.xml +install -D -m0644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_datadir}/appdata/chromium-browser.appdata.xml +appstream-util validate-relax --nonet ${RPM_BUILD_ROOT}%{_datadir}/appdata/chromium-browser.appdata.xml mkdir -p %{buildroot}%{_datadir}/gnome-control-center/default-apps/ cp -a %{SOURCE9} %{buildroot}%{_datadir}/gnome-control-center/default-apps/ @@ -1666,10 +1651,10 @@ cp %{SOURCE1} . # Set SELinux labels - semanage itself will adjust the lib directory naming # But only do it when selinux is enabled, otherwise, it gets noisy. if selinuxenabled; then - semanage fcontext -a -t bin_t /usr/lib/%{chromium_browser_channel} &>/dev/null || : - semanage fcontext -a -t bin_t /usr/lib/%{chromium_browser_channel}/%{chromium_browser_channel}.sh &>/dev/null || : + semanage fcontext -a -t bin_t /usr/lib/chromium-browser &>/dev/null || : + semanage fcontext -a -t bin_t /usr/lib/chromium-browser/chromium-browser.sh &>/dev/null || : semanage fcontext -a -t chrome_sandbox_exec_t /usr/lib/chrome-sandbox &>/dev/null || : - restorecon -R -v %{chromium_path}/%{chromium_browser_channel} &>/dev/null || : + restorecon -R -v %{chromium_path}/chromium-browser &>/dev/null || : fi %endif @@ -1679,16 +1664,16 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/chromium.conf %config %{_sysconfdir}/%{name}/master_preferences %config %{_sysconfdir}/%{name}/policies/ -%{_bindir}/%{chromium_browser_channel} +%{_bindir}/chromium-browser %{chromium_path}/*.bin %{chromium_path}/chrome_*.pak %{chromium_path}/chrome_crashpad_handler %{chromium_path}/resources.pak -%{chromium_path}/%{chromium_browser_channel} -%{chromium_path}/%{chromium_browser_channel}.sh +%{chromium_path}/chromium-browser +%{chromium_path}/chromium-browser.sh %attr(4755, root, root) %{chromium_path}/chrome-sandbox -%{_mandir}/man1/%{chromium_browser_channel}.* -%{_datadir}/icons/hicolor/*/apps/%{chromium_browser_channel}.png +%{_mandir}/man1/chromium-browser.* +%{_datadir}/icons/hicolor/*/apps/chromium-browser.png %{_datadir}/applications/*.desktop %{_datadir}/appdata/*.appdata.xml %{_datadir}/gnome-control-center/default-apps/chromium-browser.xml @@ -1796,6 +1781,12 @@ fi %endif %changelog +* Wed Feb 19 2025 Than Ngo - 133.0.6943.126-1 +- Update to 133.0.6943.126 + * CVE-2025-0999: Heap buffer overflow in V8 + * CVE-2025-1426: Heap buffer overflow in GPU + * CVE-2025-1006: Use after free in Network + * Thu Feb 13 2025 Than Ngo - 133.0.6943.98-1 - Update to 133.0.6943.98 * CVE-2025-0995: Use after free in V8