Bug#1005230: Does chromium REALLY need fuse now?

Sun, 20 Feb 2022 22:15:17 -0800 

Package: chromium
Followup-For: Bug #1005230

Hi, I ship chromium in prisons, where we extremely do not want
unprivileged users to be able to add new drivers (fuse) and
applications (flatpak/bubblewrap/xdg-desktop-portal). [*]

The fix for #1005230 added indirect dependencies on fuse and bubblewrap.

The error report for #1005230 only specifically mentioned GTK3.
Are these other "portal" dependencies *really* needed now?

If they are needed, I can deal with it.
If they aren't needed, is it feasible to define the hard dependencies more 
precisely?
Or downgrade xdg-desktop-portal to a Recommends?

(I repackage a few things in-house like linux and vlc, but
I'm frankly too scared to try that with chromium.)


As a sanity-check, I see that libwebkit2gtk-4.0-37 needs bubblewrap (but not 
fuse), and
firefox-esr needs neither.



[*] I have a bunch of other layers to block these, but
    "libfuse* isn't even installed" is really nice layer to have.
    e.g. detainee kernels have CONFIG_FUSE_FS disabled
    (though CONFIG_USER_NS is enabled due to systemd).


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-0.bpo.2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chromium-common depends on:
ii  libc6       2.31-13+deb11u2
ii  libstdc++6  10.2.1-6
ii  libx11-6    2:1.7.2-1
ii  libxext6    2:1.3.3-1.1
ii  x11-utils   7.7+5
ii  xdg-utils   1.1.3-4.1
ii  zlib1g      1:1.2.11.dfsg-2

Versions of packages chromium-common recommends:
pn  chromium-sandbox                   <none>
ii  fonts-liberation                   1:1.07.4-11
ii  gnome-shell [notification-daemon]  3.38.6-1~deb11u1
ii  libgl1-mesa-dri                    20.3.5-1
ii  libu2f-udev                        1.1.10-3
ii  notification-daemon                3.20.0-4
ii  system-config-printer              1.5.14-1
ii  upower                             0.99.11-2

Reply via email to