fix: Disable GSSAPI so the Network Service Sandbox can work

patches/disable-gssapi-to-enable-network-service-sandbox.patch

@@ -0,0 +1,35 @@
+diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
+index 249ff5ecffa8d..c9c36e3226290 100644
+--- a/chrome/browser/net/system_network_context_manager.cc
++++ b/chrome/browser/net/system_network_context_manager.cc
+@@ -533,8 +533,12 @@ void SystemNetworkContextManager::GssapiLibraryLoadObserver::Install(
+
+ void SystemNetworkContextManager::GssapiLibraryLoadObserver::
+     OnBeforeGssapiLibraryLoad() {
++  // Keeping this enabled will disable the Network Service Sandbox when a
++  // website tries to use GSSAPI, not very secure. Flag can re-enable.
+   owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader,
+-                                   true);
++                                   base::CommandLine::
++                                   ForCurrentProcess()->HasSwitch(
++                                                        "enable-gssapi"));
+ }
+ #endif  // BUILDFLAG(IS_LINUX)
+
+diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom
+index 3f3dac717be42..29a9946052308 100644
+--- a/services/network/public/mojom/network_service.mojom
++++ b/services/network/public/mojom/network_service.mojom
+@@ -95,7 +95,11 @@ struct HttpAuthDynamicParams {
+
+   // Indicates whether the GSSAPI library should be loaded. Only supported on
+   // Chrome OS and Linux.
+-  bool allow_gssapi_library_load = true;
++  // GSSAPI will disable the Network Service Sandbox when websites try to load
++  // it, not desirable from a security perspective.
++  bool allow_gssapi_library_load = base::CommandLine::
++                                   ForCurrentProcess()->HasSwitch(
++                                                        "enable-gssapi"));
+
+   // True if Basic authentication challenges should be allowed for non-secure
+   // HTTP responses.

patches/expose-flags.patch

@@ -1,8 +1,8 @@
 diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
-index 96370d4ac35a9..6429e45f5013e 100644
+index 9d0181f447a1a..f362603d31caf 100644
 --- a/chrome/browser/about_flags.cc
 +++ b/chrome/browser/about_flags.cc
-@@ -4190,6 +4190,36 @@ const FeatureEntry kFeatureEntries[] = {
+@@ -4220,6 +4220,41 @@ const FeatureEntry kFeatureEntries[] = {
  // //tools/flags/generate_unexpire_flags.py.
  #include "build/chromeos_buildflags.h"
  #include "chrome/browser/unexpire_flags_gen.inc"
@@ -36,6 +36,11 @@ index 96370d4ac35a9..6429e45f5013e 100644
 +     "Shows punycode for IDN domains to mitigate IDN homograph attacks. "
 +     "Defaults to disabled. This feature is provided by hardened-chromium.",
 +     kOsAll, FEATURE_VALUE_TYPE(url::kShowPunycodeDomains)},
++    {"enable-gssapi", "Enable GSSAPI Authentication",
++     "Enables GSSAPI for authentication. WARNING! This can cause the "
++     "network service sandbox to become persistently disabled, enable only "
++     "if absolutely necessary. This flag is provided by hardened-chromium.",
++     kOsLinux, SINGLE_VALUE_TYPE("enable-gssapi")},
      {variations::switches::kEnableBenchmarking,
       flag_descriptions::kEnableBenchmarkingName,
       flag_descriptions::kEnableBenchmarkingDescription, kOsAll,