diff --git a/hardening.patch b/hardening.patch index d41bf454..cf456f5e 100644 --- a/hardening.patch +++ b/hardening.patch @@ -32,11 +32,11 @@ index 931b9c0..451591e 100644 +Name: hardened-chromium%{chromium_channel} Version: 126.0.6478.182 -Release: 1%{?dist} -+Release: 2%{?dist} ++Release: 3%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) -@@ -563,6 +563,81 @@ Patch413: fix-unknown-warning-option-messages.diff +@@ -563,6 +563,82 @@ Patch413: fix-unknown-warning-option-messages.diff # 64kpage support on el8 Patch500: chromium-124-el8-support-64kpage.patch @@ -114,11 +114,12 @@ index 931b9c0..451591e 100644 +Patch2076: disable-sync-by-default.patch +Patch2077: disable-infobar-for-builds-without-api-key.patch +Patch2078: disable-printing-by-default.patch ++Patch2079: enable-visited-link-database-partitioning.patch + # Use chromium-latest.py to generate clean tarball from released build tarballs, found here: # http://build.chromium.org/buildbot/official/ # For Chromium Fedora use chromium-latest.py --stable --ffmpegclean --ffmpegarm -@@ -928,7 +1003,7 @@ Requires: libcanberra-gtk3%{_isa} +@@ -928,7 +1004,7 @@ Requires: libcanberra-gtk3%{_isa} Requires: u2f-hidraw-policy %endif @@ -127,7 +128,7 @@ index 931b9c0..451591e 100644 # rhel 7: x86_64 # rhel 8 or newer: x86_64, aarch64 -@@ -1098,7 +1173,7 @@ Requires(preun): systemd +@@ -1098,7 +1174,7 @@ Requires(preun): systemd Requires(postun): systemd Requires: xorg-x11-server-Xvfb Requires: python3-psutil @@ -136,7 +137,7 @@ index 931b9c0..451591e 100644 Summary: Remote desktop support for google-chrome & chromium %description -n chrome-remote-desktop -@@ -1107,7 +1182,7 @@ Remote desktop support for google-chrome & chromium. +@@ -1107,7 +1183,7 @@ Remote desktop support for google-chrome & chromium. %package -n chromedriver Summary: WebDriver for Google Chrome/Chromium @@ -145,7 +146,7 @@ index 931b9c0..451591e 100644 %description -n chromedriver WebDriver is an open source tool for automated testing of webapps across many -@@ -1118,7 +1193,7 @@ members of the Chromium and WebDriver teams. +@@ -1118,7 +1194,7 @@ members of the Chromium and WebDriver teams. %package headless Summary: A minimal headless shell built from Chromium @@ -154,7 +155,7 @@ index 931b9c0..451591e 100644 %description headless A minimal headless client built from Chromium. headless_shell is built -@@ -1127,14 +1202,14 @@ udev. +@@ -1127,14 +1203,14 @@ udev. %package qt5-ui Summary: Qt5 UI built from Chromium @@ -171,7 +172,7 @@ index 931b9c0..451591e 100644 %description qt6-ui Qt6 UI for chromium. -@@ -1341,6 +1416,78 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona +@@ -1341,6 +1417,79 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona %endif %endif @@ -247,10 +248,11 @@ index 931b9c0..451591e 100644 +%patch -P2076 -p1 -b .disable-sync-by-default +%patch -P2077 -p1 -b .disable-infobar-for-builds-without-api-key +%patch -P2078 -p1 -b .disable-printing-by-default ++%patch -P2079 -p1 -b .enable-visited-link-database-partitioning # Change shebang in all relevant files in this directory and all subdirectories # See `man find` for how the `-exec command {} +` syntax works find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env python\)[23]\?=#!%{chromium_pybin}=' {} + -@@ -1393,7 +1540,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h +@@ -1393,7 +1542,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h %endif # Hard code extra version @@ -259,7 +261,7 @@ index 931b9c0..451591e 100644 # Fix hardcoded path in remoting code sed -i 's|/opt/google/chrome-remote-desktop|%{crd_path}|g' remoting/host/setup/daemon_controller_delegate_linux.cc -@@ -1494,9 +1641,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene +@@ -1494,9 +1643,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene CHROMIUM_CORE_GN_DEFINES+=' chrome_pgo_phase=0' @@ -274,7 +276,7 @@ index 931b9c0..451591e 100644 %if %{useapikey} CHROMIUM_CORE_GN_DEFINES+=' google_api_key="%{api_key}"' -@@ -1547,6 +1696,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false' +@@ -1547,6 +1698,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false' %endif CHROMIUM_CORE_GN_DEFINES+=' enable_iterator_debugging=false' CHROMIUM_CORE_GN_DEFINES+=' enable_vr=false' @@ -284,7 +286,7 @@ index 931b9c0..451591e 100644 CHROMIUM_CORE_GN_DEFINES+=' build_dawn_tests=false enable_perfetto_unittests=false' CHROMIUM_CORE_GN_DEFINES+=' disable_fieldtrial_testing_config=true' CHROMIUM_CORE_GN_DEFINES+=' symbol_level=%{debug_level} blink_symbol_level=%{debug_level}' -@@ -1586,8 +1738,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false' +@@ -1586,8 +1740,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false' %endif CHROMIUM_BROWSER_GN_DEFINES+=' use_gio=true use_pulseaudio=true' @@ -295,7 +297,7 @@ index 931b9c0..451591e 100644 %if %{use_vaapi} CHROMIUM_BROWSER_GN_DEFINES+=' use_vaapi=true' -@@ -1784,15 +1936,15 @@ rm -rf %{buildroot} +@@ -1784,15 +1938,15 @@ rm -rf %{buildroot} mkdir -p %{buildroot}%{_bindir} \ %{buildroot}%{chromium_path}/locales \ @@ -314,7 +316,7 @@ index 931b9c0..451591e 100644 %endif export BUILD_TARGET=`cat /etc/redhat-release` -@@ -1953,7 +2105,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps +@@ -1953,7 +2107,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/%{chromium_browser_channel}.png # Install the master_preferences file @@ -323,7 +325,7 @@ index 931b9c0..451591e 100644 mkdir -p %{buildroot}%{_datadir}/applications/ desktop-file-install --dir %{buildroot}%{_datadir}/applications %{SOURCE4} -@@ -2005,11 +2157,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt +@@ -2005,11 +2159,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %doc AUTHORS README.fedora %doc chrome_policy_list.html *.json %license LICENSE @@ -339,8 +341,6 @@ index 931b9c0..451591e 100644 %endif %{_bindir}/%{chromium_browser_channel} %{chromium_path}/*.bin -diff --git a/master_preferences b/master_preferences -index 8d732dc..58b079c 100644 --- a/master_preferences +++ b/master_preferences @@ -1,5 +1,5 @@ diff --git a/patches/enable-visited-link-database-partitioning.patch b/patches/enable-visited-link-database-partitioning.patch new file mode 100644 index 00000000..8d4c8064 --- /dev/null +++ b/patches/enable-visited-link-database-partitioning.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc +index 00e268b511265..9f59a42de211b 100644 +--- a/third_party/blink/common/features.cc ++++ b/third_party/blink/common/features.cc +@@ -1769,7 +1769,7 @@ const base::FeatureParam kPartialLowEndModeExcludeCanvasFontCache{ + // TODO(crbug.com/329102369): complete the partitioned hashtable implementation. + BASE_FEATURE(kPartitionVisitedLinkDatabase, + "PartitionVisitedLinkDatabase", +- base::FEATURE_DISABLED_BY_DEFAULT); ++ base::FEATURE_ENABLED_BY_DEFAULT); + + // Enables the use of the PaintCache for Path2D objects that are rasterized + // out of process. Has no effect when kCanvasOopRasterization is disabled.