From dc461f6845d594ca51289b1208a3aa953947dd77 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 22 Jul 2024 15:39:23 -0400 Subject: [PATCH 1/2] Added patch to disable TPCD bypasses --- hardening.patch | 30 +++++++++++++++-------------- patches/disable-tpcd-bypasses.patch | 26 +++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 14 deletions(-) create mode 100644 patches/disable-tpcd-bypasses.patch diff --git a/hardening.patch b/hardening.patch index cf456f5e..77397b9a 100644 --- a/hardening.patch +++ b/hardening.patch @@ -36,7 +36,7 @@ index 931b9c0..451591e 100644 Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) -@@ -563,6 +563,82 @@ Patch413: fix-unknown-warning-option-messages.diff +@@ -563,6 +563,83 @@ Patch413: fix-unknown-warning-option-messages.diff # 64kpage support on el8 Patch500: chromium-124-el8-support-64kpage.patch @@ -115,11 +115,12 @@ index 931b9c0..451591e 100644 +Patch2077: disable-infobar-for-builds-without-api-key.patch +Patch2078: disable-printing-by-default.patch +Patch2079: enable-visited-link-database-partitioning.patch ++Patch2080: disable-tpcd-bypasses.patch + # Use chromium-latest.py to generate clean tarball from released build tarballs, found here: # http://build.chromium.org/buildbot/official/ # For Chromium Fedora use chromium-latest.py --stable --ffmpegclean --ffmpegarm -@@ -928,7 +1004,7 @@ Requires: libcanberra-gtk3%{_isa} +@@ -928,7 +1005,7 @@ Requires: libcanberra-gtk3%{_isa} Requires: u2f-hidraw-policy %endif @@ -128,7 +129,7 @@ index 931b9c0..451591e 100644 # rhel 7: x86_64 # rhel 8 or newer: x86_64, aarch64 -@@ -1098,7 +1174,7 @@ Requires(preun): systemd +@@ -1098,7 +1175,7 @@ Requires(preun): systemd Requires(postun): systemd Requires: xorg-x11-server-Xvfb Requires: python3-psutil @@ -137,7 +138,7 @@ index 931b9c0..451591e 100644 Summary: Remote desktop support for google-chrome & chromium %description -n chrome-remote-desktop -@@ -1107,7 +1183,7 @@ Remote desktop support for google-chrome & chromium. +@@ -1107,7 +1184,7 @@ Remote desktop support for google-chrome & chromium. %package -n chromedriver Summary: WebDriver for Google Chrome/Chromium @@ -146,7 +147,7 @@ index 931b9c0..451591e 100644 %description -n chromedriver WebDriver is an open source tool for automated testing of webapps across many -@@ -1118,7 +1194,7 @@ members of the Chromium and WebDriver teams. +@@ -1118,7 +1195,7 @@ members of the Chromium and WebDriver teams. %package headless Summary: A minimal headless shell built from Chromium @@ -155,7 +156,7 @@ index 931b9c0..451591e 100644 %description headless A minimal headless client built from Chromium. headless_shell is built -@@ -1127,14 +1203,14 @@ udev. +@@ -1127,14 +1204,14 @@ udev. %package qt5-ui Summary: Qt5 UI built from Chromium @@ -172,7 +173,7 @@ index 931b9c0..451591e 100644 %description qt6-ui Qt6 UI for chromium. -@@ -1341,6 +1417,79 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona +@@ -1341,6 +1418,80 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona %endif %endif @@ -249,10 +250,11 @@ index 931b9c0..451591e 100644 +%patch -P2077 -p1 -b .disable-infobar-for-builds-without-api-key +%patch -P2078 -p1 -b .disable-printing-by-default +%patch -P2079 -p1 -b .enable-visited-link-database-partitioning ++%patch -P2080 -p1 -b .disable-tpcd-bypasses # Change shebang in all relevant files in this directory and all subdirectories # See `man find` for how the `-exec command {} +` syntax works find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env python\)[23]\?=#!%{chromium_pybin}=' {} + -@@ -1393,7 +1542,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h +@@ -1393,7 +1544,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h %endif # Hard code extra version @@ -261,7 +263,7 @@ index 931b9c0..451591e 100644 # Fix hardcoded path in remoting code sed -i 's|/opt/google/chrome-remote-desktop|%{crd_path}|g' remoting/host/setup/daemon_controller_delegate_linux.cc -@@ -1494,9 +1643,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene +@@ -1494,9 +1645,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene CHROMIUM_CORE_GN_DEFINES+=' chrome_pgo_phase=0' @@ -276,7 +278,7 @@ index 931b9c0..451591e 100644 %if %{useapikey} CHROMIUM_CORE_GN_DEFINES+=' google_api_key="%{api_key}"' -@@ -1547,6 +1698,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false' +@@ -1547,6 +1700,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false' %endif CHROMIUM_CORE_GN_DEFINES+=' enable_iterator_debugging=false' CHROMIUM_CORE_GN_DEFINES+=' enable_vr=false' @@ -286,7 +288,7 @@ index 931b9c0..451591e 100644 CHROMIUM_CORE_GN_DEFINES+=' build_dawn_tests=false enable_perfetto_unittests=false' CHROMIUM_CORE_GN_DEFINES+=' disable_fieldtrial_testing_config=true' CHROMIUM_CORE_GN_DEFINES+=' symbol_level=%{debug_level} blink_symbol_level=%{debug_level}' -@@ -1586,8 +1740,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false' +@@ -1586,8 +1742,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false' %endif CHROMIUM_BROWSER_GN_DEFINES+=' use_gio=true use_pulseaudio=true' @@ -297,7 +299,7 @@ index 931b9c0..451591e 100644 %if %{use_vaapi} CHROMIUM_BROWSER_GN_DEFINES+=' use_vaapi=true' -@@ -1784,15 +1938,15 @@ rm -rf %{buildroot} +@@ -1784,15 +1940,15 @@ rm -rf %{buildroot} mkdir -p %{buildroot}%{_bindir} \ %{buildroot}%{chromium_path}/locales \ @@ -316,7 +318,7 @@ index 931b9c0..451591e 100644 %endif export BUILD_TARGET=`cat /etc/redhat-release` -@@ -1953,7 +2107,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps +@@ -1953,7 +2109,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/%{chromium_browser_channel}.png # Install the master_preferences file @@ -325,7 +327,7 @@ index 931b9c0..451591e 100644 mkdir -p %{buildroot}%{_datadir}/applications/ desktop-file-install --dir %{buildroot}%{_datadir}/applications %{SOURCE4} -@@ -2005,11 +2159,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt +@@ -2005,11 +2161,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %doc AUTHORS README.fedora %doc chrome_policy_list.html *.json %license LICENSE diff --git a/patches/disable-tpcd-bypasses.patch b/patches/disable-tpcd-bypasses.patch new file mode 100644 index 00000000..500e7ae6 --- /dev/null +++ b/patches/disable-tpcd-bypasses.patch @@ -0,0 +1,26 @@ +diff --git a/components/content_settings/core/common/features.cc b/components/content_settings/core/common/features.cc +index c1340623701ba..07ef347995154 100644 +--- a/components/content_settings/core/common/features.cc ++++ b/components/content_settings/core/common/features.cc +@@ -100,7 +100,7 @@ const char kTpcdReadHeuristicsGrantsName[] = "TpcdReadHeuristicsGrants"; + + BASE_FEATURE(kTpcdHeuristicsGrants, + "TpcdHeuristicsGrants", +- base::FEATURE_ENABLED_BY_DEFAULT); ++ base::FEATURE_DISABLED_BY_DEFAULT); + + const base::FeatureParam kTpcdReadHeuristicsGrants{ + &kTpcdHeuristicsGrants, kTpcdReadHeuristicsGrantsName, true}; +diff --git a/net/base/features.cc b/net/base/features.cc +index 387c7f01e1f5e..106176e8d4265 100644 +--- a/net/base/features.cc ++++ b/net/base/features.cc +@@ -257,7 +257,7 @@ BASE_FEATURE(kTopLevelTpcdTrialSettings, + + BASE_FEATURE(kTpcdMetadataGrants, + "TpcdMetadataGrants", +- base::FEATURE_ENABLED_BY_DEFAULT); ++ base::FEATURE_DISABLED_BY_DEFAULT); + + BASE_FEATURE(kTpcdMetadataStageControl, + "TpcdMetadataStageControl", From 5b836b7bdb69aa809f6c70d6f7f8456ce0d28b8a Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 22 Jul 2024 18:06:02 -0400 Subject: [PATCH 2/2] Increment release --- hardening.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening.patch b/hardening.patch index 77397b9a..fe1ba557 100644 --- a/hardening.patch +++ b/hardening.patch @@ -32,7 +32,7 @@ index 931b9c0..451591e 100644 +Name: hardened-chromium%{chromium_channel} Version: 126.0.6478.182 -Release: 1%{?dist} -+Release: 3%{?dist} ++Release: 4%{?dist} Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use Url: http://www.chromium.org/Home License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only)