rpms
/
chromium
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'rawhide' into epel8

Browse Source
epel8 imports/epel8/chromium-133.0.6943.126-1.el8
Than Ngo 4 days ago
parent 5a37adf9ec 6d40ea788b
commit 6cfcd4b403
8 changed files with 123 additions and 109 deletions
Show Stats Download Patch File Download Diff File

27
chromium-133-workaround-system-ffmpeg-whitelist.patch
Unescape View File

@ -1,21 +1,34 @@
diff -up chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc
--- chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc.me 2025-02-09 19:57:35.117198035 +0100
+++ chromium-133.0.6943.53/media/ffmpeg/ffmpeg_common.cc 2025-02-09 22:57:26.429570196 +0100
diff -up chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc
--- chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc.than 2025-02-13 11:59:31.035724118 +0100
+++ chromium-133.0.6943.98/media/ffmpeg/ffmpeg_common.cc 2025-02-14 10:39:07.825746076 +0100
@@ -76,6 +76,8 @@ const char* GetAllowedVideoDecoders() {
void ApplyCodecContextSecuritySettings(AVCodecContext* codec_context) {
// Future versions of ffmpeg may copy the allow list from the format
// context.
+// Workaround for codec whitelist with system ffmpeg
+ // Workaround for codec whitelist with system ffmpeg
+#if 0
if (!codec_context->codec_whitelist) {
// Note: FFmpeg will try to free this string, so we must duplicate it.
codec_context->codec_whitelist =
@@ -83,7 +85,7 @@ void ApplyCodecContextSecuritySettings(A
@@ -83,6 +85,7 @@ void ApplyCodecContextSecuritySettings(A
? GetAllowedAudioDecoders()
: GetAllowedVideoDecoders());
}
-
+#endif
// Note: This is security sensitive. FFmpeg may not always continue safely
// in the presence of errors. See https://crbug.com/379418979
if (base::FeatureList::IsEnabled(kStrictFFmpegCodecs)) {
diff -up chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc
--- chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc.than 2025-02-14 10:14:13.360398193 +0100
+++ chromium-133.0.6943.98/media/filters/ffmpeg_glue.cc 2025-02-14 10:36:46.762332912 +0100
@@ -131,8 +131,10 @@ FFmpegGlue::FFmpegGlue(FFmpegURLProtocol
// memory usage.
//
// Note: FFmpeg will try to free these strings, so we must duplicate them.
+#if 0
format_context_->codec_whitelist = av_strdup(GetAllowedAudioDecoders());
format_context_->format_whitelist = av_strdup(GetAllowedDemuxers());
+#endif
}
bool FFmpegGlue::OpenContext(bool is_local_file) {

2
chromium-browser.sh
Unescape View File

@ -48,4 +48,4 @@ exec < /dev/null
exec > >(exec cat)
exec 2> >(exec cat >&2)
exec -a "$0" "$HERE/@@CHROMIUM_BROWSER_CHANNEL@@" $CHROMIUM_FLAGS $CHROMIUM_DISTRO_FLAGS "$@"
exec -a "$0" "$HERE/chromium-browser" $CHROMIUM_FLAGS $CHROMIUM_DISTRO_FLAGS "$@"

14
chromium-latest.py
Unescape View File

@ -1,5 +1,5 @@
#!/usr/bin/python3
# Copyright 2021-2024, Than Ngo <than@redhat.com>
# Copyright 2021-2025, Than Ngo <than@redhat.com>
# Copyright 2010,2015-2019 Tom Callaway <tcallawa@redhat.com>
# Copyright 2013-2016 Tomas Popela <tpopela@redhat.com>
# Permission is hereby granted, free of charge, to any person obtaining
@ -243,6 +243,9 @@ if __name__ == '__main__':
parser_add_argument(
'--ffmpegclean', action='store_true',
help='Get the latest Chromium release from given channel and cleans ffmpeg sources from proprietary stuff')
parser_add_argument(
'--ffmpegremove', action='store_true',
help='Get the latest Chromium release from given channel and remove ffmpeg sources')
parser_add_argument(
'--chrome', action='store_true',
help='Get the latest Chrome rpms for the given channel')
@ -342,7 +345,14 @@ if __name__ == '__main__':
print("Cleaning ffmpeg from proprietary things...")
os.system("./clean_ffmpeg.sh %s %d" % (latest_dir, 0 if args.ffmpegarm else 1))
print("Cleaning openh264 from proprietary things...")
os.system("find %s/third_party/openh264/src -type f -not -name '*.h' -delete " % latest_dir)
os.system("find %s/third_party/openh264/* -type d | xargs rm -rf" % latest_dir)
print("Done!")
if (args.ffmpegremove):
print("Removing ffmpeg source...")
os.system("find %s/third_party/ffmpeg/* -type d | xargs rm -rf" % latest_dir)
print("Cleaning openh264 from proprietary things...")
os.system("find %s/third_party/openh264/* -type d | xargs rm -rf" % latest_dir)
print("Done!")
if (not args.prep):

79
chromium.spec
Unescape View File

@ -126,12 +126,8 @@
%undefine _debugsource_packages
%endif
# %%{nil} for Stable; -beta for Beta; -dev for Devel
# dash in -beta and -dev is intentional !
%global chromium_channel %{nil}
%global chromium_menu_name Chromium
%global chromium_browser_channel chromium-browser%{chromium_channel}
%global chromium_path %{_libdir}/chromium-browser%{chromium_channel}
%global chromium_path %{_libdir}/chromium-browser
%global crd_path %{_libdir}/chrome-remote-desktop
# We don't want any libs in these directories to generate Provides
@ -270,8 +266,8 @@
%global chromoting_client_id %nil
%endif
Name: chromium%{chromium_channel}
Version: 133.0.6943.98
Name: chromium
Version: 133.0.6943.126
Release: 1%{?dist}
Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
Url: http://www.chromium.org/Home
@ -368,7 +364,7 @@ Patch358: chromium-127-rust-clanglib.patch
# PowerPC64 LE support
# Timothy Pearson's patchset
# https://gitlab.solidsilicon.io/public-development/open-source/chromium/openpower-patches/-/tree/chromium-128/patches/ppc64le
# https://gitlab.raptorengineering.com/raptor-engineering-public/chromium/openpower-patches
Patch359: add-ppc64-architecture-string.patch
Patch360: 0001-linux-seccomp-bpf-ppc64-glibc-workaround-in-SIGSYS-h.patch
Patch361: 0001-sandbox-Enable-seccomp_bpf-for-ppc64.patch
@ -459,7 +455,7 @@ Source0: chromium-%{version}-clean.tar.xz
Source1: README.fedora
Source2: chromium.conf
Source3: chromium-browser.sh
Source4: %{chromium_browser_channel}.desktop
Source4: chromium-browser.desktop
# Also, only used if you want to reproduce the clean tarball.
Source5: clean_ffmpeg.sh
Source6: chromium-latest.py
@ -1251,7 +1247,7 @@ rust_sysroot_absolute="$(rustc --print sysroot)"
# set clang version
clang_version="$(clang --version | sed -n 's/clang version //p' | cut -d. -f1)"
%if 0%{?fedora} > 42
%if 0%{?fedora} > 41
clang_base_path="/usr"
%else
clang_base_path="$(clang --version | grep InstalledDir | cut -d' ' -f2 | sed 's#/bin##')"
@ -1549,7 +1545,7 @@ mkdir -p %{buildroot}%{_bindir} \
# install system wide chromium config
cp -a %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
cp -a %{SOURCE3} %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
cp -a %{SOURCE3} %{buildroot}%{chromium_path}/chromium-browser.sh
%if ! %{use_vaapi}
# remove vaapi flags
@ -1557,22 +1553,11 @@ echo "# system wide chromium flags" > %{buildroot}%{_sysconfdir}/%{name}/%{name}
%endif
export BUILD_TARGET=`cat /etc/redhat-release`
export CHROMIUM_PATH=%{chromium_path}
export CHROMIUM_BROWSER_CHANNEL=%{chromium_browser_channel}
sed -i "s|@@BUILD_TARGET@@|$BUILD_TARGET|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
sed -i "s|@@CHROMIUM_PATH@@|$CHROMIUM_PATH|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
sed -i "s|@@CHROMIUM_BROWSER_CHANNEL@@|$CHROMIUM_BROWSER_CHANNEL|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
%if "%{chromium_channel}" == "%{nil}"
sed -i "s|@@EXTRA_FLAGS@@||g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
%else
# Enable debug outputs for beta and dev channels
export EXTRA_FLAGS="--enable-logging=stderr --v=2"
sed -i "s|@@EXTRA_FLAGS@@|$EXTRA_FLAGS|g" %{buildroot}%{chromium_path}/%{chromium_browser_channel}.sh
%endif
sed -i "s|@@BUILD_TARGET@@|$BUILD_TARGET|g" %{buildroot}%{chromium_path}/chromium-browser.sh
sed -i "s|@@EXTRA_FLAGS@@||g" %{buildroot}%{chromium_path}/chromium-browser.sh
ln -s ../..%{chromium_path}/%{chromium_browser_channel}.sh %{buildroot}%{_bindir}/%{chromium_browser_channel}
ln -s ../..%{chromium_path}/chromium-browser.sh %{buildroot}%{_bindir}/chromium-browser
mkdir -p %{buildroot}%{_mandir}/man1/
pushd %{chromebuilddir}
@ -1586,12 +1571,12 @@ pushd %{chromebuilddir}
cp -a libvulkan.so.1 %{buildroot}%{chromium_path}
cp -a vk_swiftshader_icd.json %{buildroot}%{chromium_path}
%endif
cp -a chrome %{buildroot}%{chromium_path}/%{chromium_browser_channel}
cp -a chrome %{buildroot}%{chromium_path}/chromium-browser
cp -a chrome_sandbox %{buildroot}%{chromium_path}/chrome-sandbox
cp -a chrome_crashpad_handler %{buildroot}%{chromium_path}/chrome_crashpad_handler
cp -a ../../chrome/app/resources/manpage.1.in %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1
sed -i "s|@@PACKAGE@@|%{chromium_browser_channel}|g" %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1
sed -i "s|@@MENUNAME@@|%{chromium_menu_name}|g" %{buildroot}%{_mandir}/man1/%{chromium_browser_channel}.1
cp -a ../../chrome/app/resources/manpage.1.in %{buildroot}%{_mandir}/man1/chromium-browser.1
sed -i "s|@@PACKAGE@@|chromium-browser|g" %{buildroot}%{_mandir}/man1/chromium-browser.1
sed -i "s|@@MENUNAME@@|%{chromium_menu_name}|g" %{buildroot}%{_mandir}/man1/chromium-browser.1
# V8 initial snapshots
# https://code.google.com/p/chromium/issues/detail?id=421063
@ -1636,15 +1621,15 @@ mkdir -p %{buildroot}%{_sysconfdir}/chromium/policies/managed
mkdir -p %{buildroot}%{_sysconfdir}/chromium/policies/recommended
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/256x256/apps
cp -a chrome/app/theme/chromium/product_logo_256.png %{buildroot}%{_datadir}/icons/hicolor/256x256/apps/%{chromium_browser_channel}.png
cp -a chrome/app/theme/chromium/product_logo_256.png %{buildroot}%{_datadir}/icons/hicolor/256x256/apps/chromium-browser.png
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/128x128/apps
cp -a chrome/app/theme/chromium/product_logo_128.png %{buildroot}%{_datadir}/icons/hicolor/128x128/apps/%{chromium_browser_channel}.png
cp -a chrome/app/theme/chromium/product_logo_128.png %{buildroot}%{_datadir}/icons/hicolor/128x128/apps/chromium-browser.png
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/64x64/apps
cp -a chrome/app/theme/chromium/product_logo_64.png %{buildroot}%{_datadir}/icons/hicolor/64x64/apps/%{chromium_browser_channel}.png
cp -a chrome/app/theme/chromium/product_logo_64.png %{buildroot}%{_datadir}/icons/hicolor/64x64/apps/chromium-browser.png
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/48x48/apps
cp -a chrome/app/theme/chromium/product_logo_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/%{chromium_browser_channel}.png
cp -a chrome/app/theme/chromium/product_logo_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/chromium-browser.png
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/%{chromium_browser_channel}.png
cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/chromium-browser.png
# Install the master_preferences file
install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/%{name}/
@ -1652,8 +1637,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/%{name}/
mkdir -p %{buildroot}%{_datadir}/applications/
desktop-file-install --dir %{buildroot}%{_datadir}/applications %{SOURCE4}
install -D -m0644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_datadir}/appdata/%{chromium_browser_channel}.appdata.xml
appstream-util validate-relax --nonet ${RPM_BUILD_ROOT}%{_datadir}/appdata/%{chromium_browser_channel}.appdata.xml
install -D -m0644 %{SOURCE10} ${RPM_BUILD_ROOT}%{_datadir}/appdata/chromium-browser.appdata.xml
appstream-util validate-relax --nonet ${RPM_BUILD_ROOT}%{_datadir}/appdata/chromium-browser.appdata.xml
mkdir -p %{buildroot}%{_datadir}/gnome-control-center/default-apps/
cp -a %{SOURCE9} %{buildroot}%{_datadir}/gnome-control-center/default-apps/
@ -1666,10 +1651,10 @@ cp %{SOURCE1} .
# Set SELinux labels - semanage itself will adjust the lib directory naming
# But only do it when selinux is enabled, otherwise, it gets noisy.
if selinuxenabled; then
semanage fcontext -a -t bin_t /usr/lib/%{chromium_browser_channel} &>/dev/null || :
semanage fcontext -a -t bin_t /usr/lib/%{chromium_browser_channel}/%{chromium_browser_channel}.sh &>/dev/null || :
semanage fcontext -a -t bin_t /usr/lib/chromium-browser &>/dev/null || :
semanage fcontext -a -t bin_t /usr/lib/chromium-browser/chromium-browser.sh &>/dev/null || :
semanage fcontext -a -t chrome_sandbox_exec_t /usr/lib/chrome-sandbox &>/dev/null || :
restorecon -R -v %{chromium_path}/%{chromium_browser_channel} &>/dev/null || :
restorecon -R -v %{chromium_path}/chromium-browser &>/dev/null || :
fi
%endif
@ -1679,16 +1664,16 @@ fi
%config(noreplace) %{_sysconfdir}/%{name}/chromium.conf
%config %{_sysconfdir}/%{name}/master_preferences
%config %{_sysconfdir}/%{name}/policies/
%{_bindir}/%{chromium_browser_channel}
%{_bindir}/chromium-browser
%{chromium_path}/*.bin
%{chromium_path}/chrome_*.pak
%{chromium_path}/chrome_crashpad_handler
%{chromium_path}/resources.pak
%{chromium_path}/%{chromium_browser_channel}
%{chromium_path}/%{chromium_browser_channel}.sh
%{chromium_path}/chromium-browser
%{chromium_path}/chromium-browser.sh
%attr(4755, root, root) %{chromium_path}/chrome-sandbox
%{_mandir}/man1/%{chromium_browser_channel}.*
%{_datadir}/icons/hicolor/*/apps/%{chromium_browser_channel}.png
%{_mandir}/man1/chromium-browser.*
%{_datadir}/icons/hicolor/*/apps/chromium-browser.png
%{_datadir}/applications/*.desktop
%{_datadir}/appdata/*.appdata.xml
%{_datadir}/gnome-control-center/default-apps/chromium-browser.xml
@ -1796,6 +1781,12 @@ fi
%endif
%changelog
* Wed Feb 19 2025 Than Ngo <than@redhat.com> - 133.0.6943.126-1
- Update to 133.0.6943.126
* CVE-2025-0999: Heap buffer overflow in V8
* CVE-2025-1426: Heap buffer overflow in GPU
* CVE-2025-1006: Use after free in Network
* Thu Feb 13 2025 Than Ngo <than@redhat.com> - 133.0.6943.98-1
- Update to 133.0.6943.98
* CVE-2025-0995: Use after free in V8

74
flatpak-Add-initial-sandbox-support.patch
Unescape View File

@ -1,4 +1,4 @@
From ab11528f26a212417b0b6084b52c02e992fe43f7 Mon Sep 17 00:00:00 2001
From e29f4b52c8770033504794b934bc14b1d7261ef1 Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 17 Mar 2020 13:18:27 -0500
Subject: [PATCH] flatpak: Add initial sandbox support
@ -42,10 +42,10 @@ index 9056030523807..2c13d0ad5f1c7 100644
/.externalToolBuilders/
/.settings/
diff --git a/base/threading/thread_restrictions.h b/base/threading/thread_restrictions.h
index 149838be725f2..81034acc71e97 100644
index e029700325e79..14ef172d37087 100644
--- a/base/threading/thread_restrictions.h
+++ b/base/threading/thread_restrictions.h
@@ -407,6 +407,9 @@ class ScopedAllowThreadJoinForWebRtcTransport;
@@ -409,6 +409,9 @@ class ScopedAllowThreadJoinForWebRtcTransport;
namespace rlz_lib {
class FinancialPing;
}
@ -55,7 +55,7 @@ index 149838be725f2..81034acc71e97 100644
namespace service_manager {
class ServiceProcessLauncher;
}
@@ -649,6 +652,7 @@ class BASE_EXPORT ScopedAllowBlocking {
@@ -646,6 +649,7 @@ class BASE_EXPORT ScopedAllowBlocking {
friend class remoting::
ScopedBypassIOThreadRestrictions; // http://crbug.com/1144161
friend class remoting::ScopedAllowBlockingForCrashReporting;
@ -63,7 +63,7 @@ index 149838be725f2..81034acc71e97 100644
friend class ui::DrmDisplayHostManager;
friend class ui::ScopedAllowBlockingForGbmSurface;
friend class ui::SelectFileDialogLinux;
@@ -792,6 +796,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
@@ -788,6 +792,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
friend class rlz_lib::FinancialPing;
friend class shell_integration_linux::
LaunchXdgUtilityScopedAllowBaseSyncPrimitives;
@ -72,7 +72,7 @@ index 149838be725f2..81034acc71e97 100644
friend class syncer::HttpBridge;
friend class syncer::GetLocalChangesRequest;
diff --git a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
index f6d2f3f0bc41c..fcc58c6735eaa 100644
index 1d2c06f540674..9946482709bbf 100644
--- a/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
+++ b/chrome/browser/resources/sandbox_internals/sandbox_internals.ts
@@ -140,6 +140,7 @@ function addGoodBadRow(name: string, result: boolean): HTMLElement {
@ -94,10 +94,10 @@ index f6d2f3f0bc41c..fcc58c6735eaa 100644
addStatusRow('Layer 1 Sandbox', layer1SandboxType, layer1SandboxCssClass);
diff --git a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
index 82aa27787a5e0..32bf674f33da6 100644
index 1174a704b8126..e7fd738b705fb 100644
--- a/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
+++ b/chrome/browser/ui/webui/sandbox/sandbox_internals_ui.cc
@@ -20,6 +20,7 @@
@@ -15,6 +15,7 @@
#include "content/public/browser/web_contents.h"
#include "content/public/browser/web_ui.h"
#include "content/public/browser/web_ui_data_source.h"
@ -105,7 +105,7 @@ index 82aa27787a5e0..32bf674f33da6 100644
#include "services/network/public/mojom/content_security_policy.mojom.h"
#if BUILDFLAG(IS_WIN)
@@ -46,6 +47,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
@@ -41,6 +42,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
source->AddBoolean("suid", status & sandbox::policy::SandboxLinux::kSUID);
source->AddBoolean("userNs", status & sandbox::policy::SandboxLinux::kUserNS);
@ -114,7 +114,7 @@ index 82aa27787a5e0..32bf674f33da6 100644
source->AddBoolean("pidNs", status & sandbox::policy::SandboxLinux::kPIDNS);
source->AddBoolean("netNs", status & sandbox::policy::SandboxLinux::kNetNS);
source->AddBoolean("seccompBpf",
@@ -63,7 +66,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
@@ -58,7 +61,8 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
// Require either the setuid or namespace sandbox for our first-layer sandbox.
bool good_layer1 = (status & sandbox::policy::SandboxLinux::kSUID ||
@ -125,10 +125,10 @@ index 82aa27787a5e0..32bf674f33da6 100644
status & sandbox::policy::SandboxLinux::kNetNS;
// A second-layer sandbox is also required to be adequately sandboxed.
diff --git a/content/browser/child_process_host_impl.cc b/content/browser/child_process_host_impl.cc
index 95df576580a9e..8d5e0694660b6 100644
index 583a386414590..c1cf93992da5b 100644
--- a/content/browser/child_process_host_impl.cc
+++ b/content/browser/child_process_host_impl.cc
@@ -45,6 +45,7 @@
@@ -46,6 +46,7 @@
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#include "base/linux_util.h"
@ -136,7 +136,7 @@ index 95df576580a9e..8d5e0694660b6 100644
#elif BUILDFLAG(IS_MAC)
#include "base/apple/foundation_util.h"
#include "content/browser/mac_helpers.h"
@@ -78,7 +79,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) {
@@ -72,7 +73,12 @@ base::FilePath ChildProcessHost::GetChildPath(int flags) {
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// Use /proc/self/exe rather than our known binary path so updates
// can't swap out the binary from underneath us.
@ -151,7 +151,7 @@ index 95df576580a9e..8d5e0694660b6 100644
}
#endif
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
index 8eca918b65cbe..1703fb6ade044 100644
index bd1013ccdd503..00f6ff8e13af5 100644
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
@@ -12,6 +12,7 @@
@ -162,7 +162,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
#include "base/process/memory.h"
#include "base/strings/string_number_conversions.h"
#include "base/types/fixed_array.h"
@@ -22,6 +23,7 @@
@@ -21,6 +22,7 @@
#include "content/common/zygote/zygote_handle_impl_linux.h"
#include "content/public/common/zygote/zygote_handle.h"
#include "sandbox/linux/services/credentials.h"
@ -170,7 +170,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
#include "sandbox/linux/services/namespace_sandbox.h"
#include "sandbox/linux/suid/client/setuid_sandbox_host.h"
#include "sandbox/linux/suid/common/sandbox.h"
@@ -72,6 +74,7 @@ ZygoteHostImpl::ZygoteHostImpl()
@@ -71,6 +73,7 @@ ZygoteHostImpl::ZygoteHostImpl()
: use_namespace_sandbox_(false),
use_suid_sandbox_(false),
use_suid_sandbox_for_adj_oom_score_(false),
@ -178,7 +178,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
sandbox_binary_(),
zygote_pids_lock_(),
zygote_pids_() {}
@@ -110,9 +113,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
@@ -109,9 +112,12 @@ void ZygoteHostImpl::Init(const base::CommandLine& command_line) {
sandbox_binary_ = setuid_sandbox_host->GetSandboxBinaryPath().value();
}
@ -194,7 +194,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
use_namespace_sandbox_ = true;
} else if (!command_line.HasSwitch(
sandbox::policy::switches::kDisableSetuidSandbox) &&
@@ -183,10 +189,16 @@ pid_t ZygoteHostImpl::LaunchZygote(
@@ -182,10 +188,16 @@ pid_t ZygoteHostImpl::LaunchZygote(
sandbox_host->SetupLaunchEnvironment();
}
@ -215,7 +215,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
CHECK(process.IsValid()) << "Failed to launch zygote process";
dummy_fd.reset();
@@ -195,7 +207,8 @@ pid_t ZygoteHostImpl::LaunchZygote(
@@ -194,7 +206,8 @@ pid_t ZygoteHostImpl::LaunchZygote(
pid_t pid = process.Pid();
@ -225,7 +225,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
// The namespace and SUID sandbox will execute the zygote in a new
// PID namespace, and the main zygote process will then fork from
// there. Watch now our elaborate dance to find and validate the
@@ -223,7 +236,11 @@ pid_t ZygoteHostImpl::LaunchZygote(
@@ -222,7 +235,11 @@ pid_t ZygoteHostImpl::LaunchZygote(
if (real_pid != pid) {
// Reap the sandbox.
@ -238,7 +238,7 @@ index 8eca918b65cbe..1703fb6ade044 100644
}
pid = real_pid;
}
@@ -274,6 +291,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid,
@@ -273,6 +290,10 @@ void ZygoteHostImpl::AdjustRendererOOMScore(base::ProcessHandle pid,
selinux_valid = true;
}
@ -250,10 +250,10 @@ index 8eca918b65cbe..1703fb6ade044 100644
if (!base::AdjustOOMScore(pid, score))
PLOG(ERROR) << "Failed to adjust OOM score of renderer with pid " << pid;
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.h b/content/browser/zygote_host/zygote_host_impl_linux.h
index 720d823d4a695..ad470963693c4 100644
index 8ef884a7db6f4..f441900dd6343 100644
--- a/content/browser/zygote_host/zygote_host_impl_linux.h
+++ b/content/browser/zygote_host/zygote_host_impl_linux.h
@@ -70,6 +70,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost {
@@ -69,6 +69,7 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost {
bool use_namespace_sandbox_;
bool use_suid_sandbox_;
bool use_suid_sandbox_for_adj_oom_score_;
@ -262,10 +262,10 @@ index 720d823d4a695..ad470963693c4 100644
// This lock protects the |zygote_pids_| set.
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
index bdcb36f7eb2fe..239a6462e4b41 100644
index f2c3b43281d53..9f3f3f6b1bc12 100644
--- a/content/zygote/zygote_linux.cc
+++ b/content/zygote/zygote_linux.cc
@@ -127,7 +127,7 @@ bool Zygote::ProcessRequests() {
@@ -126,7 +126,7 @@ bool Zygote::ProcessRequests() {
PCHECK(sigaddset(&sigset, SIGCHLD) == 0);
PCHECK(sigprocmask(SIG_BLOCK, &sigset, &orig_sigmask) == 0);
@ -274,7 +274,7 @@ index bdcb36f7eb2fe..239a6462e4b41 100644
// Let the ZygoteHost know we are ready to go.
// The receiving code is in
// content/browser/zygote_host/zygote_host_impl_linux.cc.
@@ -233,6 +233,10 @@ bool Zygote::UsingNSSandbox() const {
@@ -231,6 +231,10 @@ bool Zygote::UsingNSSandbox() const {
return sandbox_flags_ & sandbox::policy::SandboxLinux::kUserNS;
}
@ -506,7 +506,7 @@ index 0000000000000..22799eb42f782
+#endif
diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
new file mode 100644
index 0000000000000..2a915a5b9fa11
index 0000000000000..31229fdf59127
--- /dev/null
+++ b/sandbox/linux/services/flatpak_sandbox.cc
@@ -0,0 +1,576 @@
@ -570,7 +570,7 @@ index 0000000000000..2a915a5b9fa11
+
+void WriteStringAsByteArray(dbus::MessageWriter* writer,
+ const std::string& str) {
+ writer->AppendArrayOfBytes(base::make_span(
+ writer->AppendArrayOfBytes(base::span(
+ reinterpret_cast<const uint8_t*>(str.c_str()), str.size() + 1));
+}
+
@ -1211,10 +1211,10 @@ index 0000000000000..167bbc85945ad
+
+#endif // SANDBOX_LINUX_SERVICES_FLATPAK_SANDBOX_H_
diff --git a/sandbox/policy/BUILD.gn b/sandbox/policy/BUILD.gn
index 4fe53b047b9aa..794e1ad1805d8 100644
index 6767e25821a9a..521c089a5f3df 100644
--- a/sandbox/policy/BUILD.gn
+++ b/sandbox/policy/BUILD.gn
@@ -129,6 +129,9 @@ component("policy") {
@@ -116,6 +116,9 @@ component("policy") {
"//sandbox/linux:suid_sandbox_client",
]
}
@ -1225,7 +1225,7 @@ index 4fe53b047b9aa..794e1ad1805d8 100644
sources += [
"linux/bpf_ime_policy_linux.cc",
diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc
index c7313416e6183..0cb8043f0ac72 100644
index 6249a61685332..a3ae93f9f4191 100644
--- a/sandbox/policy/linux/sandbox_linux.cc
+++ b/sandbox/policy/linux/sandbox_linux.cc
@@ -37,6 +37,7 @@
@ -1236,7 +1236,7 @@ index c7313416e6183..0cb8043f0ac72 100644
#include "sandbox/linux/services/libc_interceptor.h"
#include "sandbox/linux/services/namespace_sandbox.h"
#include "sandbox/linux/services/proc_util.h"
@@ -236,6 +237,9 @@ void SandboxLinux::PreinitializeSandbox() {
@@ -232,6 +233,9 @@ void SandboxLinux::PreinitializeSandbox() {
const int yama_status = Yama::GetStatus();
yama_is_enforcing_ = (yama_status & Yama::STATUS_PRESENT) &&
(yama_status & Yama::STATUS_ENFORCING);
@ -1246,7 +1246,7 @@ index c7313416e6183..0cb8043f0ac72 100644
pre_initialized_ = true;
}
@@ -274,6 +278,10 @@ int SandboxLinux::GetStatus() {
@@ -270,6 +274,10 @@ int SandboxLinux::GetStatus() {
sandbox_status_flags_ |= kPIDNS;
if (NamespaceSandbox::InNewNetNamespace())
sandbox_status_flags_ |= kNetNS;
@ -1291,10 +1291,10 @@ index 0e4f78b9e6cb7..91b638d8a96e0 100644
#if BUILDFLAG(USING_SANITIZER)
std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
diff --git a/services/service_manager/service_process_launcher.cc b/services/service_manager/service_process_launcher.cc
index e24a262fe90d5..c20fdbd88a1a6 100644
index bb99780fb878d..4dcdee34d2338 100644
--- a/services/service_manager/service_process_launcher.cc
+++ b/services/service_manager/service_process_launcher.cc
@@ -41,6 +41,7 @@
@@ -40,6 +40,7 @@
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
@ -1302,7 +1302,7 @@ index e24a262fe90d5..c20fdbd88a1a6 100644
#include "sandbox/linux/services/namespace_sandbox.h"
#endif
@@ -286,8 +287,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() {
@@ -285,8 +286,15 @@ void ServiceProcessLauncher::ProcessState::StopInBackground() {
return;
int rv = -1;
@ -1321,5 +1321,5 @@ index e24a262fe90d5..c20fdbd88a1a6 100644
}
--
2.46.1
2.47.1

18
flatpak-Adjust-paths-for-the-sandbox.patch
Unescape View File

@ -1,4 +1,4 @@
From 997c9dc4160c468f26acb851eb65408f41e2a091 Mon Sep 17 00:00:00 2001
From bf5f40f06d453e0128a9289d2df48d82822f8646 Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 25 Aug 2020 19:26:07 -0500
Subject: [PATCH] flatpak: Adjust paths for the sandbox
@ -9,10 +9,10 @@ Subject: [PATCH] flatpak: Adjust paths for the sandbox
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn
index 76cf6a5985990..4044c87b656c4 100644
index b7338a65d9a68..b13c79e33c3f6 100644
--- a/chrome/common/BUILD.gn
+++ b/chrome/common/BUILD.gn
@@ -642,6 +642,10 @@ static_library("constants") {
@@ -633,6 +633,10 @@ static_library("constants") {
"//third_party/widevine/cdm:headers",
]
}
@ -24,7 +24,7 @@ index 76cf6a5985990..4044c87b656c4 100644
# Use a static library here because many test binaries depend on this but don't
diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc
index ec09803ffabcf..ecbc300b99e1d 100644
index afc13e1b56f78..d707b71ba03ac 100644
--- a/chrome/common/chrome_paths.cc
+++ b/chrome/common/chrome_paths.cc
@@ -38,6 +38,10 @@
@ -38,8 +38,8 @@ index ec09803ffabcf..ecbc300b99e1d 100644
#if BUILDFLAG(ENABLE_WIDEVINE)
#include "third_party/widevine/cdm/widevine_cdm_common.h" // nogncheck
#endif
@@ -537,6 +541,14 @@ bool PathProvider(int key, base::FilePath* result) {
break;
@@ -529,6 +533,14 @@ bool PathProvider(int key, base::FilePath* result) {
#endif
#if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_OPENBSD)
case chrome::DIR_POLICY_FILES: {
+#if defined(OS_LINUX)
@ -53,7 +53,7 @@ index ec09803ffabcf..ecbc300b99e1d 100644
cur = base::FilePath(policy::kPolicyPath);
break;
}
@@ -557,7 +569,13 @@ bool PathProvider(int key, base::FilePath* result) {
@@ -549,7 +561,13 @@ bool PathProvider(int key, base::FilePath* result) {
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case chrome::DIR_STANDALONE_EXTERNAL_EXTENSIONS: {
@ -68,7 +68,7 @@ index ec09803ffabcf..ecbc300b99e1d 100644
break;
}
#endif
@@ -604,6 +622,12 @@ bool PathProvider(int key, base::FilePath* result) {
@@ -596,6 +614,12 @@ bool PathProvider(int key, base::FilePath* result) {
"/Library/Application Support/Chromium/NativeMessagingHosts"));
#endif
#else // BUILDFLAG(IS_MAC)
@ -82,5 +82,5 @@ index ec09803ffabcf..ecbc300b99e1d 100644
cur = base::FilePath(
FILE_PATH_LITERAL("/etc/opt/chrome/native-messaging-hosts"));
--
2.46.1
2.47.1

16
flatpak-Expose-Widevine-into-the-sandbox.patch
Unescape View File

@ -1,4 +1,4 @@
From 0446b3432c90bbab893c7bde22a5e664e14753af Mon Sep 17 00:00:00 2001
From 266e6fc37326e45402f826b282b0e0c461614905 Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 17 Nov 2020 13:00:39 -0600
Subject: [PATCH] flatpak: Expose Widevine into the sandbox
@ -10,7 +10,7 @@ Subject: [PATCH] flatpak: Expose Widevine into the sandbox
3 files changed, 131 insertions(+), 24 deletions(-)
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.cc b/content/browser/zygote_host/zygote_host_impl_linux.cc
index 1703fb6ade044..3e8eb87981230 100644
index 00f6ff8e13af5..cf3019e26bbf2 100644
--- a/content/browser/zygote_host/zygote_host_impl_linux.cc
+++ b/content/browser/zygote_host/zygote_host_impl_linux.cc
@@ -9,7 +9,10 @@
@ -24,10 +24,10 @@ index 1703fb6ade044..3e8eb87981230 100644
#include "base/posix/unix_domain_socket.h"
#include "base/process/kill.h"
#include "base/process/launch.h"
@@ -18,9 +21,12 @@
@@ -17,9 +20,12 @@
#include "base/strings/string_number_conversions.h"
#include "base/types/fixed_array.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
+#include "chrome/common/chrome_paths.h" // nogncheck
#include "content/common/zygote/zygote_commands_linux.h"
#include "content/common/zygote/zygote_communication_linux.h"
@ -37,7 +37,7 @@ index 1703fb6ade044..3e8eb87981230 100644
#include "content/public/common/zygote/zygote_handle.h"
#include "sandbox/linux/services/credentials.h"
#include "sandbox/linux/services/flatpak_sandbox.h"
@@ -29,6 +35,7 @@
@@ -28,6 +34,7 @@
#include "sandbox/linux/suid/common/sandbox.h"
#include "sandbox/policy/linux/sandbox_linux.h"
#include "sandbox/policy/switches.h"
@ -45,7 +45,7 @@ index 1703fb6ade044..3e8eb87981230 100644
#if BUILDFLAG(IS_CHROMEOS)
#include "content/common/zygote/zygote_communication_linux.h"
@@ -193,8 +200,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
@@ -192,8 +199,51 @@ pid_t ZygoteHostImpl::LaunchZygote(
if (is_sandboxed_zygote && use_namespace_sandbox_) {
process = sandbox::NamespaceSandbox::LaunchProcess(*cmd_line, options);
} else if (is_sandboxed_zygote && use_flatpak_sandbox_) {
@ -100,7 +100,7 @@ index 1703fb6ade044..3e8eb87981230 100644
process = base::LaunchProcess(*cmd_line, options);
}
diff --git a/sandbox/linux/services/flatpak_sandbox.cc b/sandbox/linux/services/flatpak_sandbox.cc
index 2a915a5b9fa11..ed8d4c0556f63 100644
index 31229fdf59127..cabda783879e6 100644
--- a/sandbox/linux/services/flatpak_sandbox.cc
+++ b/sandbox/linux/services/flatpak_sandbox.cc
@@ -4,6 +4,7 @@
@ -322,5 +322,5 @@ index 167bbc85945ad..de8e7165b4573 100644
base::WaitableEvent* event,
dbus::Response* response,
--
2.46.1
2.47.1

2
sources
Unescape View File

@ -2,4 +2,4 @@ SHA512 (node-v20.6.1-linux-arm64.tar.xz) = adfcaf2c22614797fd69fb46d94c1cbf64dea
SHA512 (node-v20.6.1-linux-x64.tar.xz) = 7e15c05041a9a50f0046266aadb2e092a5aefbec19be1c7c809471add520cb57c7df3c47d88b1888b29bf2979dca3c92adddfd965370fa2a9da4ea02186464fd
SHA512 (linux-arm64-0.19.2.tgz) = 8a0d8fec6786fffcd6954d00820037a55d61e60762c74300df0801f8db27057562c221a063bedfb8df56af9ba80abb366336987e881782c5996e6f871abd3dc6
SHA512 (linux-x64-0.19.2.tgz) = a31cc74c4bfa54f9b75d735a1cfc944d3b5efb7c06bfba9542da9a642ae0b2d235ea00ae84d3ad0572c406405110fe7b61377af0fd15803806ef78d20fc6f05d
SHA512 (chromium-133.0.6943.98-clean.tar.xz) = 2a1382b00d8e48a9404c735cd9f80d78f3d1904ae501ea507ae6b528e5c664ade64799963f7fdb5f04592ae77d7a7a8e65e877278577cd4e92b3247228f8803b
SHA512 (chromium-133.0.6943.126-clean.tar.xz) = 7c818a6fa2ffed20ca1c11eee8d7fc8e09e53efbf6f21c40f67b781f0737a8b7dd1ee09a79f823b28fe0dd234c2faf920680db387fd3caa5c8db0699c170b100

Write Preview
Loading…
Cancel
Save