Update Chromium to 90.0.4430.72, combined w/ other open PRs

README.md

@@ -3,36 +3,27 @@
 ### Extension points
 
 To avoid having to expose more of the host filesystem in the sandbox but still
-allowing extending Chromium, the following extension points are defined:
-- org.chromium.Chromium.Policy
-- org.chromium.Chromium.Extension
-- org.chromium.Chromium.NativeMessagingHost
+allowing extending Chromium, the `org.chromium.Chromium.Extension` extension
+point is defined.
 
-#### org.chromium.Chromium.Policy
+This extension point is currently on version '1' and will expose any extension
+manifests under the `extensions` subdirectory, policy files under
+`policies/managed` and `policies/recommended`, and [native messaging host
+manifests](https://developer.chrome.com/docs/apps/nativeMessaging/) under
+`native-messaging-hosts`.
 
-This extension point can be used to configure custom Chromium policies and is
-currently on version '1' and will make any policy under the `policies/managed` and
-`policies/recommended` subdirectories available to Chromium.
+#### Legacy extension points
 
-#### org.chromium.Chromium.Extension
-
-Similarly to the above, but for Chromium extensions, this extension point is
-also currently on version '1' and will make any extension under the `extensions`
-subdirectory available to Chromium.
-
-#### org.chromium.Chromium.NativeMessagingHost
-
-Also as above, but for [native messaging host](https://developer.chrome.com/docs/apps/nativeMessaging/)
-support. As the other extension points, this extension point is also currently
-on version '1' and exposes the `native-messaging-hosts` subdirectory to Chromium.
+This application also supports two other extension points:
+`org.chromium.Chromium.Policy` and `org.chromium.Chromium.NativeMessagingHost`.
+These primarily exist for compatibility reasons and should not be used.
 
 #### Using extension points
 
 Extension points can be provided as regular flatpaks and an example is provided
-under `examples/policies/google-safe-search`. Important to note that extension points'
-name must follow the syntax of `<ExtensionPointName>.<id>`, where `<ExtensionPointName>`
-is one of the supported extension points above and `<id>` is a generic id for this
-specific extension point.
+under `examples/policies/google-safe-search`. Important to note that extension
+points' name must follow the syntax of `Extension.<id>`, where `<id>` is a
+generic id for this specific extension point.
 
 Flatpak also supports “unmanaged extensions”, allowing loading extensions installed
 into `/var/lib/flatpak/extension` and `$XDG_DATA_HOME/flatpak/extension`.
@@ -42,8 +33,8 @@ policies, extensions, etc.
 One example of such "unmanaged extension" could be an extension point that exposes
 all system policies installed under `/etc/chromium-browser/policies/{managed,recommended}`.
 This could be done for example by creating an extension point under
-`/var/lib/flatpak/extension/org.chromium.Chromium.Policy.system-policies`, with
-`/var/lib/flatpak/extension/org.chromium.Chromium.Policy.system-policies/<arch>/<version>`
+`/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies`, with
+`/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies/<arch>/<version>`
 being a symlink to `/etc/chromium-browser`. Note that `<version>` must match the
 extension point version.
 

build-aux/bootstrap.sh

@@ -25,6 +25,8 @@ tools/gn/bootstrap/bootstrap.py -v --no-clean --gn-gen-args='
     enable_widevine=true
     chrome_pgo_phase=0
     rtc_use_pipewire=true
+    rtc_link_pipewire=true
+    rtc_pipewire_version="0.3"
     enable_hangout_services_extension=true
 '
 mkdir -p out/ReleaseFree

build-aux/build.sh

@@ -4,4 +4,5 @@ ninja -C out/ReleaseFree -j$FLATPAK_BUILDER_N_JOBS libffmpeg.so
 
 . /usr/lib/sdk/node12/enable.sh
 . /usr/lib/sdk/openjdk11/enable.sh
+. /usr/lib/sdk/llvm11/enable.sh
 ninja -C out/Release -j$FLATPAK_BUILDER_N_JOBS chrome

chromium.sh

@@ -9,6 +9,17 @@ get_int32_property() {
     | awk 'match($0, /uint32 ([0-9]+)/, m){print m[1];}'
 }
 
+merge_extensions() {
+  (
+    shopt -s nullglob
+    dest=/app/chromium/extensions/$1
+    mkdir -p $dest
+    for ext in /app/chromium/${1%/*}/$1/*; do
+      ln -s $ext $dest
+    done
+  )
+}
+
 # Check the portal version & make sure it supports expose-pids.
 if [[ $(get_int32_property version) -lt 4 || \
       $(($(get_int32_property supports) & 1)) -eq 0 ]]; then
@@ -26,6 +37,14 @@ if [[ -f "$XDG_CONFIG_HOME/chromium-flags.conf" ]]; then
   set -- "${flags[@]}" "$@"
 fi
 
+if [[ ! -f /app/chromium/extensions/no-mount-stamp ]]; then
+  # Merge all legacy extension points if the symlinks had a tmpfs mounted over
+  # them.
+  merge_extensions native-messaging-hosts
+  merge_extensions policies/managed
+  merge_extensions policies/recommended
+fi
+
 flextop-init
 
 export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"

examples/policies/google-safe-search/org.chromium.Chromium.Policy.google-safe-search.yaml → examples/policies/google-safe-search/org.chromium.Chromium.Extension.google-safe-search-policy.yaml

@@ -1,8 +1,8 @@
-app-id: org.chromium.Chromium.Policy.google-safe-search
+app-id: org.chromium.Chromium.Extension.google-safe-search-policy
 # This should match the extension point version
 branch: '1'
 runtime: org.chromium.Chromium
-runtime-version: 'stable'
+runtime-version: stable
 sdk: org.freedesktop.Sdk//20.08
 build-extension: true
 appstream-compose: false

org.chromium.Chromium.yaml

@@ -43,7 +43,7 @@ add-extensions:
   org.chromium.Chromium.Extension:
     version: '1'
     directory: chromium/extensions
-    merge-dirs: extensions
+    merge-dirs: 'extensions;native-messaging-hosts;policies/managed;policies/recommended'
     subdirectories: true
     no-autodownload: true
     autodelete: true
@@ -59,6 +59,7 @@ add-extensions:
 sdk-extensions:
   - org.freedesktop.Sdk.Extension.node12
   - org.freedesktop.Sdk.Extension.openjdk11
+  - org.freedesktop.Sdk.Extension.llvm11
 
 modules:
   - libsecret.json
@@ -149,25 +150,15 @@ modules:
     sources:
       - type: git
         url: https://github.com/refi64/flextop
-        commit: 485c332c7ec36a8b74be8f3622fc756ac6263f40
+        commit: 9f66dac84388f520ecab5ac4fa60df6343b7db5b
 
   - name: extensions
     buildsystem: simple
     build-commands:
       - mkdir -p /app/chromium/{extensions,native-messaging-hosts,policies}
+      - for dir in native-messaging-hosts policies; do ln -s /app/chromium/{$dir,extensions}/$dir; done
+      - touch /app/chromium/extensions/no-mount-stamp
 
-  - name: pipewire
-    buildsystem: meson
-    config-opts:
-      - -Dgstreamer=disabled
-      - -Dman=false
-      - -Dsystemd=false
-    sources:
-      - type: git
-        url: https://github.com/PipeWire/pipewire.git
-        tag: 0.2.7
-
-        commit: 14c11c0fe4d366bad4cfecdee97b6652ff9ed63d
   - name: chromium
     buildsystem: simple
     build-options:
@@ -184,8 +175,8 @@ modules:
       - ./install.sh
     sources:
       - type: archive
-        url: https://commondatastorage.googleapis.com/chromium-browser-official/chromium-89.0.4389.128.tar.xz
-        sha256: 1a75ea6aeb98f2d3b6feae1fbf5692679e93d5b7631bc7c762dd873499deda5b
+        url: https://commondatastorage.googleapis.com/chromium-browser-official/chromium-90.0.4430.72.tar.xz
+        sha256: a5cc88ca8fffac21ec4d1646980f698dfb6f388a225dd7a2c5a3d252a4098943
         x-checker-data:
           type: anitya
           project-id: 13344
@@ -212,11 +203,11 @@ modules:
           - patches/0017-Use-CHROME_WRAPPER-as-the-executable-on-restart.patch
           - patches/0018-Add-support-for-the-XDG-file-chooser-portal.patch
           - patches/0019-Add-OpenURI-portal-support-for-opening-directories.patch
-          - patches/0020-Remove-references-to-enable-dse-memoryssa.patch
-          - patches/0021-Enable-new-dtags-on-non-component-builds.patch
-          - patches/0022-Add-support-for-respecting-system-proxy-settings-whe.patch
-          - patches/0023-Revert-Reland-build-In-LTO-links-run-just-one-link-a.patch
-          - patches/0024-Revert-base-Rename-SEQUENCE_CHECKER-capability-name.patch
+          - patches/0020-Enable-new-dtags-on-non-component-builds.patch
+          - patches/0021-Add-support-for-respecting-system-proxy-settings-whe.patch
+          - patches/0022-Revert-Reland-build-In-LTO-links-run-just-one-link-a.patch
+          - patches/0023-Revert-base-Rename-SEQUENCE_CHECKER-capability-name.patch
+          - patches/0024-Revert-Reland-Add-clang-nomerge-attribute-to-CheckEr.patch
       - type: file
         path: org.chromium.Chromium.desktop
       - type: file

patches/0001-ffmpeg-Use-royalty-free-libfdk-aac-for-AAC-playback.patch

@@ -1,4 +1,4 @@
-From f47615158243cf16dccad204e2d06e329c83e5c7 Mon Sep 17 00:00:00 2001
+From 89464ac4369150b047c403ed707736c534fe01ba Mon Sep 17 00:00:00 2001
 From: Mario Sanchez Prada <[email protected]>
 Date: Wed, 4 Jul 2018 17:02:26 +0100
 Subject: [PATCH 1/4] ffmpeg: Use royalty-free libfdk-aac for AAC playback
@@ -1609,10 +1609,10 @@ index 367a7f7f3c..bc43b980d5 100644
 +#define FFMPEG_VERSION "4.3.git"
  #endif /* AVUTIL_FFVERSION_H */
 diff --git a/third_party/ffmpeg/chromium/scripts/build_ffmpeg.py b/third_party/ffmpeg/chromium/scripts/build_ffmpeg.py
-index 75333a2c9f..ae8cf3a69c 100755
+index b51f47934a..a77646e57e 100755
 --- a/third_party/ffmpeg/chromium/scripts/build_ffmpeg.py
 +++ b/third_party/ffmpeg/chromium/scripts/build_ffmpeg.py
-@@ -910,11 +910,27 @@ def ConfigureAndBuild(target_arch, target_os, host_os, host_arch, parallel_jobs,
+@@ -912,11 +912,27 @@ def ConfigureAndBuild(target_arch, target_os, host_os, host_arch, parallel_jobs,
            '--ar=cygwin-wrapper lib',
        ])
 

patches/0002-ffmpeg-Handle-transient-decode-errors-arising-from-l.patch

@@ -1,4 +1,4 @@
-From 71ba0c7a857c919a5db006b2fcbc0f9d4473a3e6 Mon Sep 17 00:00:00 2001
+From b8554ce16b08329fac4563a8dc02305fddc80ea6 Mon Sep 17 00:00:00 2001
 From: Jan Schmidt <[email protected]>
 Date: Wed, 1 May 2019 17:49:42 +0200
 Subject: [PATCH 2/4] ffmpeg: Handle transient decode errors arising from

patches/0003-Use-system-wide-node.patch

@@ -1,4 +1,4 @@
-From 4ffb09f462a0d3bbec4eb239e71718ab18e7424c Mon Sep 17 00:00:00 2001
+From 8eb22b8000b0f54895ec140492dc4d570c0c33eb Mon Sep 17 00:00:00 2001
 From: Andre Moreira Magalhaes <[email protected]>
 Date: Thu, 16 Jul 2020 20:22:57 -0300
 Subject: [PATCH 3/4] Use system wide node

patches/0004-Ensure-libffmpeg.so-is-in-the-rpath-of-binaries.patch

@@ -1,4 +1,4 @@
-From 9d0f1fa1d670e89245bc24583a92b6ed2e8c20c2 Mon Sep 17 00:00:00 2001
+From 6fa73e046ad88de40bd25bb08cac417e2cf34785 Mon Sep 17 00:00:00 2001
 From: Ryan Gonzalez <[email protected]>
 Date: Thu, 1 Oct 2020 16:39:00 -0500
 Subject: [PATCH 4/4] Ensure libffmpeg.so is in the rpath of binaries

patches/0005-flatpak-Add-initial-sandbox-support.patch

@@ -1,4 +1,4 @@
-From 6c8bdf84df2da131cfe6a848d6a257aeae059979 Mon Sep 17 00:00:00 2001
+From 0e6f907c18e4fc968a71109a86c721fa7be64d15 Mon Sep 17 00:00:00 2001
 From: Ryan Gonzalez <[email protected]>
 Date: Tue, 17 Mar 2020 13:18:27 -0500
 Subject: [PATCH 05/24] flatpak: Add initial sandbox support
@@ -29,22 +29,22 @@ Subject: [PATCH 05/24] flatpak: Add initial sandbox support
  create mode 100644 sandbox/linux/services/flatpak_sandbox.h
 
 diff --git a/.gitignore b/.gitignore
-index f6164b328aa4a..5e08625dfe664 100644
+index 0d222bbe0b579..ef17dc6e39b92 100644
 --- a/.gitignore
 +++ b/.gitignore
-@@ -62,6 +62,7 @@ v8.log
- vs-chromium-project.txt
+@@ -63,6 +63,7 @@ vs-chromium-project.txt
+ /.clangd
  /.clangd/
  /.clangd-index/
 +/.flatpak-builder/
  # Settings directories for eclipse
  /.externalToolBuilders/
  /.settings/
 diff --git a/base/threading/thread_restrictions.h b/base/threading/thread_restrictions.h
-index c0cc548d9f8e5..f987a8331f3b4 100644
+index ce16488c6d3c3..b1d4b70d815f3 100644
 --- a/base/threading/thread_restrictions.h
 +++ b/base/threading/thread_restrictions.h
-@@ -284,6 +284,10 @@ namespace resource_coordinator {
+@@ -286,6 +286,10 @@ namespace resource_coordinator {
  class TabManagerDelegate;
  }
 
@@ -55,15 +55,15 @@ index c0cc548d9f8e5..f987a8331f3b4 100644
  namespace service_manager {
  class ServiceProcessLauncher;
  }
-@@ -414,6 +418,7 @@ class BASE_EXPORT ScopedAllowBlocking {
+@@ -416,6 +420,7 @@ class BASE_EXPORT ScopedAllowBlocking {
    friend class printing::PrintJobWorker;
    friend class remoting::ScopedBypassIOThreadRestrictions;  // crbug.com/1144161
    friend class resource_coordinator::TabManagerDelegate;  // crbug.com/778703
 +  friend class sandbox::FlatpakSandbox;
    friend class web::WebSubThread;
    friend class weblayer::BrowserContextImpl;
    friend class weblayer::ContentBrowserClientImpl;
-@@ -486,6 +491,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
+@@ -489,6 +494,7 @@ class BASE_EXPORT ScopedAllowBaseSyncPrimitives {
    friend class rlz_lib::FinancialPing;
    friend class shell_integration_linux::
        LaunchXdgUtilityScopedAllowBaseSyncPrimitives;
@@ -378,10 +378,10 @@ index 82923d4a85df3..cf4765841786a 100644
                  base::GlobalDescriptors::Descriptor(
                      static_cast<uint32_t>(kSandboxIPCChannel), GetSandboxFD()));
 diff --git a/sandbox/linux/BUILD.gn b/sandbox/linux/BUILD.gn
-index e9a94b46125e3..770ce3b6edfea 100644
+index 2f778dd0bcab2..25e9571232351 100644
 --- a/sandbox/linux/BUILD.gn
 +++ b/sandbox/linux/BUILD.gn
-@@ -329,6 +329,10 @@ if (is_linux || is_chromeos) {
+@@ -333,6 +333,10 @@ if (is_linux || is_chromeos) {
 
  component("sandbox_services") {
    sources = [
@@ -392,7 +392,7 @@ index e9a94b46125e3..770ce3b6edfea 100644
      "services/init_process_reaper.cc",
      "services/init_process_reaper.h",
      "services/proc_util.cc",
-@@ -367,7 +371,10 @@ component("sandbox_services") {
+@@ -371,7 +375,10 @@ component("sandbox_services") {
 
    defines = [ "SANDBOX_IMPLEMENTATION" ]
 

patches/0006-flatpak-Expose-Widevine-into-the-sandbox.patch

@@ -1,4 +1,4 @@
-From 65328e65e68c1d909dbfc6c7615d0e3e57c07b07 Mon Sep 17 00:00:00 2001
+From 800b4a9f516604313318a0529d49c0a1b04d322d Mon Sep 17 00:00:00 2001
 From: Ryan Gonzalez <[email protected]>
 Date: Tue, 17 Nov 2020 13:00:39 -0600
 Subject: [PATCH 06/24] flatpak: Expose Widevine into the sandbox