upd: 91.0.4472.114 -> 93.0.4577.63:

- build internal ffmpeg to avoid dependency on system one (we have dropped restricted in rosa2021.1 and have merged it into main and contrib) - clean up build dependencies a bit (more clean up is required) - remove not used if-else and patches - drop patches for VA-API, upstream has VA-API support now, it is enabled, it is enough, I am fed up with different patches here - drop patch for scripts generating installtion packages which are not used by us - rename master_prefenrecnes to master_prefenrences.json to make "abf put" not upload it to filestore. - cherry-pick upstream fixes for statx() in new glibc - switch to internal libsecret backend instead of the no more maintained gnome-keyring https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1828192 libsecret should handle passwords previously saved via gnome-keyring - use system fontconfig and freetype (maybe it will help to make fonts better, maybe not, but there is no sense in using bundled ones), use system libdrm - remove odd metadata in new platforms - enable Vulkan (RB#11463), keleg@ noted disabled Vulkan in chrome://gpu despite hardware supporting it https://bugzilla.rosalinux.ru/show_bug.cgi?id=11463 - disable Control Flow Integrity (is_cfi) to avoid depending on too new clang, CFI amkes no sense for us - install crashpad_handler (chromium tries to execve() it)
2025-02-24 01:52:45 +00:00 · 2021-09-02 09:28:44 +03:00 · 2021-09-02 09:28:44 +03:00 · 55cdb91470
commit 55cdb91470
parent cde3da9b0b
16 changed files with 1967 additions and 676 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,8 +1,8 @@
 sources:
-  chromium-91.0.4472.114.tar.xz: d3ea56e54f3ac872febbe7399af3fbf9fb2bcb31
+  chromium-93.0.4577.63.tar.xz: 92b63a237f1366a82e28f7afcde59f2a2eb4967c
-  chromium-gost-efa8e0fdd004f162c8f8f537a137f124c814e0bf.tar.gz: db666b2e5b0163bb7616096f601231a92f541061
+  chromium-gost-3181acb959fcb8de4aa3aca4c51d8a89b90d367d.tar.gz: 3f81e4ac5204d61384480c59f45a3ef5b8feb3b0
  depot_tools.tar.xz: 082b7f9a4dfa7eb03900755b4866aef2d73543a5
  icons.tar.bz2: a835954af164bf38f8ea4ea80608839bed7800a3
-  msspi-32779bace9dd0ab644e016afe13af3f2ee1a54bd.tar.gz: d0ac1b243a4ecdc4f1c1f86b7dc95b5e8b1caa5e
+  msspi-676e76df03782fa965d8f985f4bd2e4c3ee81386.tar.gz: 5c82ce5a5780b06a481812986e3da8b1131ca1a8
  new-system-icons.tar.xz: 89339b8b3b05359a8745ed7968fe148902a2fa28
  xcb-proto-1.14.1.tar.xz: 836d5b2dd00ff21bd038e92764fda9a256a1b022
--- a/4b438323d68840453b5ef826c3997568e2e0e8c7.patch
+++ b/4b438323d68840453b5ef826c3997568e2e0e8c7.patch
--- a/60d5e803ef2a4874d29799b638754152285e0ed9.patch
+++ b/60d5e803ef2a4874d29799b638754152285e0ed9.patch
@ -0,0 +1,348 @@
 From 60d5e803ef2a4874d29799b638754152285e0ed9 Mon Sep 17 00:00:00 2001
 From: Matthew Denton <mpdenton@chromium.org>
 Date: Wed, 21 Jul 2021 12:55:11 +0000
 Subject: [PATCH] Linux sandbox: fix fstatat() crash
 This is a reland of https://crrev.com/c/2801873.
 Glibc has started rewriting fstat(fd, stat_buf) to
 fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when
 AT_EMPTY_PATH is specified, and the second argument is an empty string,
 then fstatat just performs an fstat on fd like normal.
 Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like
 with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0);
 The baseline policy needs to prevent this usage of fstatat() since it
 doesn't allow access to arbitrary pathnames.
 Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is
 simply ignored by current kernels.
 This means fstatat() is completely unsandboxable with seccomp, since
 we *need* to verify that the second argument is the empty string, but
 we can't dereference pointers in seccomp (due to limitations of BPF,
 and the difficulty of addressing these limitations due to TOCTOU
 issues).
 So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall.
 The signal handler, which runs in the sandboxed process, checks for
 AT_EMPTY_PATH and the empty string, and then rewrites any applicable
 fstatat() back into the old-style fstat().
 Bug: 1164975
 Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042179
 Reviewed-by: Robert Sesek <rsesek@chromium.org>
 Commit-Queue: Matthew Denton <mpdenton@chromium.org>
 Cr-Commit-Position: refs/heads/master@{#903873}
 ---
 .../seccomp-bpf-helpers/baseline_policy.cc    |  8 ++++++
 .../baseline_policy_unittest.cc               | 17 ++++++++++++-
 .../seccomp-bpf-helpers/sigsys_handlers.cc    | 25 +++++++++++++++++++
 .../seccomp-bpf-helpers/sigsys_handlers.h     | 14 +++++++++++
 .../linux/syscall_broker/broker_process.cc    | 21 ++++++++++------
 .../syscall_broker/broker_process_unittest.cc | 18 ++++++-------
 sandbox/linux/system_headers/linux_stat.h     |  4 +++
 7 files changed, 89 insertions(+), 18 deletions(-)
 diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 index f2a60bb4d738d..9df0d2dbd3b5f 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -20,6 +20,7 @@
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
 +#include "sandbox/linux/system_headers/linux_stat.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 #if !defined(SO_PEEK_OFF)
@@ -304,6 +305,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return Allow();
   }
 +  // The fstatat syscalls are file system syscalls, which will be denied below
 +  // with fs_denied_errno. However some allowed fstat syscalls are rewritten by
 +  // libc implementations to fstatat syscalls, and we need to rewrite them back.
 +  if (sysno == __NR_fstatat_default) {
 +    return RewriteFstatatSIGSYS(fs_denied_errno);
 +  }
 +
   if (SyscallSets::IsFileSystem(sysno) ||
       SyscallSets::IsCurrentDirectory(sysno)) {
     return Error(fs_denied_errno);
 diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
 index 68c29b564bb8f..57d307e09d36b 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
 +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
@@ -51,7 +51,8 @@ namespace sandbox {
 namespace {
 -// This also tests that read(), write() and fstat() are allowed.
 +// This also tests that read(), write(), fstat(), and fstatat(.., "", ..,
 +// AT_EMPTY_PATH) are allowed.
 void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
   BPF_ASSERT_LE(0, read_end.get());
   BPF_ASSERT_LE(0, write_end.get());
@@ -60,6 +61,20 @@ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
   BPF_ASSERT_EQ(0, sys_ret);
   BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
 +  sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH);
 +  BPF_ASSERT_EQ(0, sys_ret);
 +  BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
 +
 +  // Make sure fstatat with anything other than an empty string is denied.
 +  sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH);
 +  BPF_ASSERT_EQ(sys_ret, -1);
 +  BPF_ASSERT_EQ(EPERM, errno);
 +
 +  // Make sure fstatat without AT_EMPTY_PATH is denied.
 +  sys_ret = fstatat(read_end.get(), "", &stat_buf, 0);
 +  BPF_ASSERT_EQ(sys_ret, -1);
 +  BPF_ASSERT_EQ(EPERM, errno);
 +
   const ssize_t kTestTransferSize = 4;
   static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'};
   ssize_t transfered = 0;
 diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
 index 64edbd68bde6b..71068a045277b 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
 +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
@@ -6,6 +6,7 @@
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 +#include <fcntl.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <string.h>
@@ -22,6 +23,7 @@
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
 #include "sandbox/linux/system_headers/linux_seccomp.h"
 +#include "sandbox/linux/system_headers/linux_stat.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 #if defined(__mips__)
@@ -355,6 +357,24 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
   return -ENOSYS;
 }
 +intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
 +                              void* fs_denied_errno) {
 +  if (args.nr == __NR_fstatat_default) {
 +    if (*reinterpret_cast<const char*>(args.args[1]) == '\0' &&
 +        args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
 +      return syscall(__NR_fstat_default, static_cast<int>(args.args[0]),
 +                     reinterpret_cast<default_stat_struct*>(args.args[2]));
 +    }
 +    return -reinterpret_cast<intptr_t>(fs_denied_errno);
 +  }
 +
 +  CrashSIGSYS_Handler(args, fs_denied_errno);
 +
 +  // Should never be reached.
 +  RAW_CHECK(false);
 +  return -ENOSYS;
 +}
 +
 bpf_dsl::ResultExpr CrashSIGSYS() {
   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
 }
@@ -387,6 +407,11 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
   return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
 }
 +bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) {
 +  return bpf_dsl::Trap(SIGSYSFstatatHandler,
 +                       reinterpret_cast<void*>(fs_denied_errno));
 +}
 +
 void AllocateCrashKeys() {
 #if !defined(OS_NACL_NONSFI)
   if (seccomp_crash_key)
 diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
 index 7a958b93b27a7..8cd735ce15793 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
 +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
@@ -62,6 +62,19 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args,
 // sched_setparam(), sched_setscheduler()
 SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
                                            void* aux);
 +// If the fstatat() syscall is functionally equivalent to an fstat() syscall,
 +// then rewrite the syscall to the equivalent fstat() syscall which can be
 +// adequately sandboxed.
 +// If the fstatat() is not functionally equivalent to an fstat() syscall, we
 +// fail with -fs_denied_errno.
 +// If the syscall is not an fstatat() at all, crash in the same way as
 +// CrashSIGSYS_Handler.
 +// This is necessary because glibc and musl have started rewriting fstat(fd,
 +// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter
 +// back to the former, which is actually sandboxable.
 +SANDBOX_EXPORT intptr_t
 +SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
 +                     void* fs_denied_errno);
 // Variants of the above functions for use with bpf_dsl.
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
@@ -72,6 +85,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill();
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
 SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
 +SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno);
 // Allocates a crash key so that Seccomp information can be recorded.
 void AllocateCrashKeys();
 diff --git a/sandbox/linux/syscall_broker/broker_process.cc b/sandbox/linux/syscall_broker/broker_process.cc
 index c2176eb785e78..e9dad37485aef 100644
 --- a/sandbox/linux/syscall_broker/broker_process.cc
 +++ b/sandbox/linux/syscall_broker/broker_process.cc
@@ -113,44 +113,49 @@ bool BrokerProcess::IsSyscallAllowed(int sysno) const {
 }
 bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
 +  // The syscalls unavailable on aarch64 are all blocked by Android's default
 +  // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX()
 +  // with a corresponding XXat() versions are typically unavailable in aarch64
 +  // and are default disabled in Android. So, we should refuse to broker them
 +  // to be consistent with the platform's restrictions.
   switch (sysno) {
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_access:
 #endif
     case __NR_faccessat:
       return !fast_check || allowed_command_set_.test(COMMAND_ACCESS);
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_mkdir:
 #endif
     case __NR_mkdirat:
       return !fast_check || allowed_command_set_.test(COMMAND_MKDIR);
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_open:
 #endif
     case __NR_openat:
       return !fast_check || allowed_command_set_.test(COMMAND_OPEN);
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_readlink:
 #endif
     case __NR_readlinkat:
       return !fast_check || allowed_command_set_.test(COMMAND_READLINK);
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_rename:
 #endif
     case __NR_renameat:
     case __NR_renameat2:
       return !fast_check || allowed_command_set_.test(COMMAND_RENAME);
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_rmdir:
       return !fast_check || allowed_command_set_.test(COMMAND_RMDIR);
 #endif
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_stat:
     case __NR_lstat:
 #endif
@@ -175,7 +180,7 @@ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
       return !fast_check || allowed_command_set_.test(COMMAND_STAT);
 #endif
 -#if !defined(__aarch64__)
 +#if !defined(__aarch64__) && !defined(OS_ANDROID)
     case __NR_unlink:
       return !fast_check || allowed_command_set_.test(COMMAND_UNLINK);
 #endif
 diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc
 index c65f25a78a999..f0db08d84e06c 100644
 --- a/sandbox/linux/syscall_broker/broker_process_unittest.cc
 +++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc
@@ -1596,52 +1596,52 @@ TEST(BrokerProcess, IsSyscallAllowed) {
   const base::flat_map<BrokerCommand, base::flat_set<int>> kSysnosForCommand = {
       {COMMAND_ACCESS,
        {__NR_faccessat,
 -#if defined(__NR_access)
 +#if defined(__NR_access) && !defined(OS_ANDROID)
         __NR_access
 #endif
        }},
       {COMMAND_MKDIR,
        {__NR_mkdirat,
 -#if defined(__NR_mkdir)
 +#if defined(__NR_mkdir) && !defined(OS_ANDROID)
         __NR_mkdir
 #endif
        }},
       {COMMAND_OPEN,
        {__NR_openat,
 -#if defined(__NR_open)
 +#if defined(__NR_open) && !defined(OS_ANDROID)
         __NR_open
 #endif
        }},
       {COMMAND_READLINK,
        {__NR_readlinkat,
 -#if defined(__NR_readlink)
 +#if defined(__NR_readlink) && !defined(OS_ANDROID)
         __NR_readlink
 #endif
        }},
       {COMMAND_RENAME,
        {__NR_renameat,
 -#if defined(__NR_rename)
 +#if defined(__NR_rename) && !defined(OS_ANDROID)
         __NR_rename
 #endif
        }},
       {COMMAND_UNLINK,
        {__NR_unlinkat,
 -#if defined(__NR_unlink)
 +#if defined(__NR_unlink) && !defined(OS_ANDROID)
         __NR_unlink
 #endif
        }},
       {COMMAND_RMDIR,
        {__NR_unlinkat,
 -#if defined(__NR_rmdir)
 +#if defined(__NR_rmdir) && !defined(OS_ANDROID)
         __NR_rmdir
 #endif
        }},
       {COMMAND_STAT,
        {
 -#if defined(__NR_stat)
 +#if defined(__NR_stat) && !defined(OS_ANDROID)
            __NR_stat,
 #endif
 -#if defined(__NR_lstat)
 +#if defined(__NR_lstat) && !defined(OS_ANDROID)
            __NR_lstat,
 #endif
 #if defined(__NR_fstatat)
 diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h
 index 35788eb22a4e5..83b89efc75e5e 100644
 --- a/sandbox/linux/system_headers/linux_stat.h
 +++ b/sandbox/linux/system_headers/linux_stat.h
@@ -157,6 +157,10 @@ struct kernel_stat {
 };
 #endif
 +#if !defined(AT_EMPTY_PATH)
 +#define AT_EMPTY_PATH 0x1000
 +#endif
 +
 // On 32-bit systems, we default to the 64-bit stat struct like libc
 // implementations do. Otherwise we default to the normal stat struct which is
 // already 64-bit.
--- a/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch
+++ b/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch
@ -0,0 +1,70 @@
 From b2fbcdbe30cb84cd2f0b63e453f3782c49213264 Mon Sep 17 00:00:00 2001
 From: Matthew Denton <mpdenton@chromium.org>
 Date: Wed, 21 Jul 2021 17:12:27 +0000
 Subject: [PATCH] Linux sandbox: ENOSYS for some statx syscalls
 On some platforms, glibc will default to statx for normal stat-family
 calls. Unfortunately there's no way to rewrite statx to something safe
 using a signal handler. Returning ENOSYS will cause glibc to fallback
 to old stat paths.
 Change-Id: Ieaddc8020b6555f2dfdc443197d13cb3fccc6bf1
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2823150
 Commit-Queue: Matthew Denton <mpdenton@chromium.org>
 Reviewed-by: Robert Sesek <rsesek@chromium.org>
 Cr-Commit-Position: refs/heads/master@{#903952}
 ---
 sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 11 +++++++++++
 sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc    |  1 +
 sandbox/linux/system_headers/linux_stat.h            |  4 ++++
 3 files changed, 16 insertions(+)
 diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 index 9df0d2dbd3b5f..049e921694eda 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -312,6 +312,17 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return RewriteFstatatSIGSYS(fs_denied_errno);
   }
 +  // The statx syscall is a filesystem syscall, which will be denied below with
 +  // fs_denied_errno. However, on some platforms, glibc will default to statx
 +  // for normal stat-family calls. Unfortunately there's no way to rewrite statx
 +  // to something safe using a signal handler. Returning ENOSYS will cause glibc
 +  // to fallback to old stat paths.
 +  if (sysno == __NR_statx) {
 +    const Arg<int> mask(3);
 +    return If(mask == STATX_BASIC_STATS, Error(ENOSYS))
 +        .Else(Error(fs_denied_errno));
 +  }
 +
   if (SyscallSets::IsFileSystem(sysno) ||
       SyscallSets::IsCurrentDirectory(sysno)) {
     return Error(fs_denied_errno);
 diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
 index 96c9f490e28cd..8227dc1854643 100644
 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
 +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -171,6 +171,7 @@ bool SyscallSets::IsFileSystem(int sysno) {
     (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
     case __NR_statfs64:
 #endif
 +    case __NR_statx:  // EPERM not a valid errno.
     case __NR_symlinkat:
     case __NR_truncate:
 #if defined(__i386__) || defined(__arm__) || \
 diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h
 index 83b89efc75e5e..e697dd6777ef5 100644
 --- a/sandbox/linux/system_headers/linux_stat.h
 +++ b/sandbox/linux/system_headers/linux_stat.h
@@ -161,6 +161,10 @@ struct kernel_stat {
 #define AT_EMPTY_PATH 0x1000
 #endif
 +#if !defined(STATX_BASIC_STATS)
 +#define STATX_BASIC_STATS 0x000007ffU
 +#endif
 +
 // On 32-bit systems, we default to the 64-bit stat struct like libc
 // implementations do. Otherwise we default to the normal stat struct which is
 // already 64-bit.
--- a/chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch
+++ b/chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch
@ -1,12 +0,0 @@
 diff -up chromium-45.0.2454.101/content/browser/time_zone_monitor.cc.system-icu chromium-45.0.2454.101/content/browser/time_zone_monitor.cc
 --- chromium-45.0.2454.101/content/browser/time_zone_monitor.cc.system-icu	2015-10-13 13:42:42.816642333 -0400
 +++ chromium-45.0.2454.101/content/browser/time_zone_monitor.cc	2015-10-13 13:43:13.750917363 -0400
@@ -22,7 +22,7 @@ TimeZoneMonitor::~TimeZoneMonitor() {
 void TimeZoneMonitor::NotifyRenderers() {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 -#if defined(OS_CHROMEOS)
 +#if defined(OS_CHROMEOS) || U_ICU_VERSION_MAJOR_NUM < 55
   // On CrOS, ICU's default tz is already set to a new zone. No
   // need to redetect it with detectHostTimeZone().
   scoped_ptr<icu::TimeZone> new_zone(icu::TimeZone::createDefault());
--- a/chromium-50-system-ffmpeg-3.patch
+++ b/chromium-50-system-ffmpeg-3.patch
@ -1,39 +0,0 @@
 diff -up chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc.system-ffmpeg-3 chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc
 --- chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc.system-ffmpeg-3	2016-03-22 23:02:39.000000000 +0100
 +++ chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc	2016-03-23 18:51:16.810699343 +0100
@@ -15,9 +15,9 @@
 #include <memory>
 extern "C" {
 -#include "third_party/ffmpeg/libavcodec/avcodec.h"
 -#include "third_party/ffmpeg/libavformat/avformat.h"
 -#include "third_party/ffmpeg/libavutil/imgutils.h"
 +#include <libavcodec/avcodec.h>
 +#include <libavformat/avformat.h>
 +#include <libavutil/imgutils.h>
 }  // extern "C"
 #include "api/video/color_space.h"
 diff -up chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h.system-ffmpeg-3 chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h
 --- chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h.system-ffmpeg-3	2016-03-23 18:55:39.080894319 +0100
 +++ chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h	2016-03-23 18:54:32.178123691 +0100
@@ -17,7 +17,7 @@
 // passed to ffmpeg.
 extern "C" {
 -#include "third_party/ffmpeg/libavcodec/avcodec.h"
 +#include <libavcodec/avcodec.h>
 }  // extern "C"
 #include "common_video/h264/h264_bitstream_parser.h"
 --- chromium-86.0.4240.111/third_party/webrtc/modules/video_coding/codecs/h264/h264_color_space.h.orig
 +++ chromium-86.0.4240.111/third_party/webrtc/modules/video_coding/codecs/h264/h264_color_space.h
@@ -23,7 +23,7 @@
 #include "api/video/color_space.h"
 extern "C" {
 -#include "third_party/ffmpeg/libavcodec/avcodec.h"
 +#include <libavcodec/avcodec.h>
 }  // extern "C"
 namespace webrtc {
--- a/chromium-54-proprietary-codecs-assert.patch
+++ b/chromium-54-proprietary-codecs-assert.patch
@ -1,16 +0,0 @@
 diff -up chromium-62.0.3192.0/media/BUILD.gn.proprietary-codecs chromium-62.0.3192.0/media/BUILD.gn
 --- chromium-62.0.3192.0/media/BUILD.gn.proprietary-codecs	2017-08-30 16:13:04.296259457 +0200
 +++ chromium-62.0.3192.0/media/BUILD.gn	2017-08-30 16:18:23.778444612 +0200
@@ -33,12 +33,6 @@ buildflag_header("media_features") {
   ]
 }
 -if (proprietary_codecs && media_use_ffmpeg) {
 -  assert(
 -      ffmpeg_branding != "Chromium",
 -      "proprietary codecs and ffmpeg_branding set to Chromium are incompatible")
 -}
 -
 # Common configuration for targets in the media directory; these must not be
 # exported since things like USE_NEON and USE_CRAS have different meanings
 # elsewhere in the code base.
--- a/chromium-79.0.3945.88-deleted-chromium-gost-info.patch
+++ b/chromium-79.0.3945.88-deleted-chromium-gost-info.patch
@ -1,34 +0,0 @@
 diff --git a/chrome/installer/linux/common/chromium-browser/chromium-browser.info b/chrome/installer/linux/common/chromium-browser/chromium-browser.info
 index 6f67b06166f0..997d45b6af45 100644
 --- a/chrome/installer/linux/common/chromium-browser/chromium-browser.info
 +++ b/chrome/installer/linux/common/chromium-browser/chromium-browser.info
@@ -6,7 +6,7 @@
 # chromium-browser packages for various platforms.
 # Base name of the package.
 -PACKAGE="chromium-browser"
 +PACKAGE="chromium-gost"
 # Base name of the snap package
 SNAPNAME="chromium"
@@ -15,16 +15,16 @@ SNAPNAME="chromium"
 PROGNAME=chrome
 # Base directory for package installation.
 -INSTALLDIR=/opt/chromium.org/chromium
 +INSTALLDIR=/opt/chromium-gost
 # Display string for desktop menu/icon.
 -MENUNAME="Chromium Web Browser"
 +MENUNAME="chromium-gost"
 # Brief package description.
 -SHORTDESC="The web browser from Chromium.org"
 +SHORTDESC="Chromium browser with GOST cryptography support"
 # Detailed package description.
 -FULLDESC="Chromium is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier."
 +FULLDESC="Chromium is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. This version supports GOST cryptography in TLS-connections."
 # Package maintainer information.
 # TODO(mmoss) Setup a mailbox for this address
--- a/chromium-90.0.4430.72-fstatfix.patch
+++ b/chromium-90.0.4430.72-fstatfix.patch
@ -1,141 +0,0 @@
 diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 --- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix	2021-04-16 15:35:53.869542483 -0400
 +++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc	2021-04-16 15:38:19.754688717 -0400
@@ -269,6 +269,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de
     return Allow();
   }
 +#if defined(__NR_newfstatat)
 +  if (sysno == __NR_newfstatat) {
 +    return RewriteFstatatSIGSYS();
 +  }
 +#endif
 +
 +#if defined(__NR_fstatat64)
 +  if (sysno == __NR_fstatat64) {
 +    return RewriteFstatatSIGSYS();
 +  }
 +#endif
 +
   if (SyscallSets::IsFileSystem(sysno) ||
       SyscallSets::IsCurrentDirectory(sysno)) {
     return Error(fs_denied_errno);
 diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
 --- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix	2021-04-14 14:41:08.000000000 -0400
 +++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc	2021-04-16 15:35:53.869542483 -0400
@@ -6,6 +6,8 @@
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 +#include <errno.h>
 +#include <fcntl.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <string.h>
@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct
   return -ENOSYS;
 }
 +intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
 +                              void* aux) {
 +  switch (args.nr) {
 +#if defined(__NR_newfstatat)
 +    case __NR_newfstatat:
 +#endif
 +#if defined(__NR_fstatat64)
 +    case __NR_fstatat64:
 +#endif
 +#if defined(__NR_newfstatat) || defined(__NR_fstatat64)
 +      if (*reinterpret_cast<const char *>(args.args[1]) == '\0'
 +          && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
 +        return sandbox::sys_fstat64(static_cast<int>(args.args[0]),
 +                                    reinterpret_cast<struct stat64 *>(args.args[2]));
 +      } else {
 +        errno = EACCES;
 +        return -1;
 +      }
 +      break;
 +#endif
 +  }
 +
 +  CrashSIGSYS_Handler(args, aux);
 +
 +  // Should never be reached.
 +  RAW_CHECK(false);
 +  return -ENOSYS;
 +}
 +
 bpf_dsl::ResultExpr CrashSIGSYS() {
   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
 }
@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS()
   return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
 }
 +bpf_dsl::ResultExpr RewriteFstatatSIGSYS() {
 +  return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL);
 +}
 +
 void AllocateCrashKeys() {
 #if !defined(OS_NACL_NONSFI)
   if (seccomp_crash_key)
 diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
 --- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix	2021-04-14 14:41:08.000000000 -0400
 +++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h	2021-04-16 15:35:53.869542483 -0400
@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail
 // sched_setparam(), sched_setscheduler()
 SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
                                            void* aux);
 +// If the fstatat syscall is actually a disguised fstat, calls the regular fstat
 +// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler.
 +SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, 
 +                                             void* aux);
 // Variants of the above functions for use with bpf_dsl.
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
 SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
 SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
 +SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS();
 // Allocates a crash key so that Seccomp information can be recorded.
 void AllocateCrashKeys();
 diff -up chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc
 --- chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc.fstatfix	2021-04-14 14:41:08.000000000 -0400
 +++ chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc	2021-04-16 15:35:53.869542483 -0400
@@ -261,4 +261,13 @@ int sys_sigaction(int signum,
 #endif  // defined(MEMORY_SANITIZER)
 +SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf)
 +{
 +#if defined(__NR_fstat64)
 +    return syscall(__NR_fstat64, fd, buf);
 +#else
 +    return syscall(__NR_fstat, fd, buf);
 +#endif
 +}
 +
 }  // namespace sandbox
 diff -up chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h
 --- chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h.fstatfix	2021-04-14 14:41:08.000000000 -0400
 +++ chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h	2021-04-16 15:35:53.870542491 -0400
@@ -17,6 +17,7 @@ struct sock_fprog;
 struct rlimit64;
 struct cap_hdr;
 struct cap_data;
 +struct stat64;
 namespace sandbox {
@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig
                                  const struct sigaction* act,
                                  struct sigaction* oldact);
 +// Recent glibc rewrites fstat to fstatat.
 +SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf);
 +
 }  // namespace sandbox
 #endif  // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
--- a/chromium-browser-stable.spec
+++ b/chromium-browser-stable.spec
@ -6,6 +6,7 @@
 #  [5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/
 #  [6] https://packages.altlinux.org/ru/sisyphus/srpms/chromium
 #  [7] https://packages.altlinux.org/ru/sisyphus/specfiles/chromium-gost
 #  [8] https://github.com/saiarcot895/chromium-ubuntu-build
 # Get the version number of latest stable version
 # $ curl -s 'https://omahaproxy.appspot.com/all?os=linux&channel=stable' | sed 1d | cut -d , -f 3
@ -35,10 +36,9 @@
 %define crname chromium-browser
 %define _crdir %{_libdir}/%{crname}
-
+# Yandex Browser, Opera and other proprietary forks of Chromium look for libffmpeg.so in /usr/lib/chromium-browser,
-%define ffmpeg 1
+# while we use /usr/lib64/chromium-browser on x86_64
-%define icu 0
+%define _crdir_compat %{_prefix}/lib/%{crname}
 %define jsoncpp 0
 # Set up Google API keys, see http://www.chromium.org/developers/how-tos/api-keys
 # Note: these are for Mageia use ONLY.
@ -50,8 +50,8 @@
 # GOST patches and sources
 # Using commit hashes because upstream often puts tags long after making changes
 # (they wait for builds to finish to make a new "release" with binary packages)
-%define chromium_gost_commit efa8e0fdd004f162c8f8f537a137f124c814e0bf
+%define chromium_gost_commit 3181acb959fcb8de4aa3aca4c51d8a89b90d367d
-%define msspi_commit 32779bace9dd0ab644e016afe13af3f2ee1a54bd
+%define msspi_commit 676e76df03782fa965d8f985f4bd2e4c3ee81386
 %define _gostsourcedir %{_builddir}/chromium-gost
 %define xcb_version 1.14.1
@ -70,8 +70,7 @@
 # Do not provide libEGL.so, libGLESv2.so
 %global __provides_exclude_from ^%{_crdir}/.*\\.so$
-# Chromium build scripts are not compatible with Python 3 yet
+%define __python %{__python3}
 %define __python %{__python2}
 # workaround rpmlint bugs (?)
 %global _build_pkgcheck_set /bin/sh %{_sourcedir}/rpmlint-wrapper.sh %{_build_pkgcheck_set}
@ -80,7 +79,7 @@
 Summary:	A fast web browser based on the Blink engine
 Name:		chromium-browser-stable
-Version:	91.0.4472.114
+Version:	93.0.4577.63
 Release:	1
 License:	BSD, LGPL
 Group:		Networking/WWW
@ -95,7 +94,7 @@ Source20:	https://www.x.org/releases/individual/proto/xcb-proto-%{xcb_version}.t
 # From https://github.com/systemd/systemd/blob/main/src/basic/missing_fcntl.h
 # to fix building on rosa2016.1 where glibc does not have /usr/include/bits/fcntl-linux.h
 Source21:	missing_fcntl.h
-Source30:	master_preferences
+Source30:	master_preferences.json
 Source31:	default_bookmarks.html
 Source32:	chromium.default
 Source100:	icons.tar.bz2
@ -106,55 +105,29 @@ Source999:	new-system-icons.tar.xz
 Source1101:	https://github.com/deemru/chromium-gost/archive/%{chromium_gost_commit}.tar.gz?/chromium-gost-%{chromium_gost_commit}.tar.gz
 Source1102:	https://github.com/deemru/msspi/archive/%{msspi_commit}.tar.gz?/msspi-%{msspi_commit}.tar.gz
 # needs with gost
 # https://github.com/deemru/chromium-gost/blob/master/patch/chromium.patch
 Patch1:		chromium-79.0.3945.88-deleted-chromium-gost-info.patch
 Patch4:		chromium-30.0.1599.66-master-prefs-path.patch
 Patch22:	chromium-54-proprietary-codecs-assert.patch
 %if 0%{jsoncpp}
 # (cjw) add missing unbundle gn files (1)
 Patch28:	chromium-53-gn-system-icu-jsoncpp.patch
 %endif
 # (cjw) fix webrtc build with system ffmpeg
 Patch35:	chromium-50-system-ffmpeg-3.patch
 # (cjw) fix gn bootstrapping with gcc
 Patch190:	chromium-69-gn-bootstrap.patch
 # Google patched their bundled copy of icu 54 to include API functionality that wasn't added until 55.
 # :P
 Patch502:	chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch
 # Patch to fix build with use_system_libvpx
 # Chromium bug #541273
 # fix build with icu other than 54
 Patch504:	chromium-system-icu-r0.patch
 # ROSA Build
 Patch600:	chromium-buildname-60.0.3112.90.patch
 # Patch to fix build
 Patch601:	chromium-62-include-cstdlib.patch
 # Add "ROSA" to the user agent string
 Patch627:	chromium-68.0.3440.106-rosa-user-agent.patch
 # Fix building third_party/wayland on rosa2016.1
 Patch639:	wayland-strndup.patch
 # Fix sandbox code to properly handle the new way that glibc handles fstat in rosa2019.1+
 # Thanks to Kevin Kofler for the fix (from Fedora)
 Patch640:	chromium-90.0.4430.72-fstatfix.patch
 # Fix building with current glib2.0
 # Hunks from https://build.opensuse.org/package/view_file/openSUSE:Factory/chromium/chromium-gcc11.patch
 Patch643:	glib2.0.patch
-# Enable hw mjpeg decoding, Nvidia etc.
+# Fix mess of python2 and python3
-# https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/enable-vaapi-on-linux.diff
+# https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/rename-python-to-python2.patch
-Patch644:	enable-vaapi-on-linux.diff
+Patch646:	rename-python-to-python2.patch
-# Enable VA-API with VDPAU backend on Nvidia GPUs
+Patch647:	ALT-allow-to-override-clang-through-env-variables.patch
 # https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/vdpau-support.patch
 Patch645:	vdpau-support.patch
 Patch646:	ALT-allow-to-override-clang-through-env-variables.patch
 # XXX This patch is not enough to fully fix debuginfo and debugsource subpackages
-Patch647:	fix-debugsource.patch
+Patch648:	fix-debugsource.patch
-Patch648:	off-java-check.patch
+Patch649:	off-java-check.patch
 # From Chromium 94+ for new glibc
 Patch650:	https://github.com/chromium/chromium/commit/4b438323d68840453b5ef826c3997568e2e0e8c7.patch
 Patch651:	https://github.com/chromium/chromium/commit/60d5e803ef2a4874d29799b638754152285e0ed9.patch
 Patch652:	https://github.com/chromium/chromium/commit/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch
 BuildRequires:	bison
 BuildRequires:	llvm12
@ -176,15 +149,13 @@ BuildRequires:	atomic-devel
 BuildRequires:	bzip2-devel
 BuildRequires:	cap-devel
 BuildRequires:	cups-devel
 # %{_bindir}/eu-strip
 BuildRequires:	elfutils
 BuildRequires:	elfutils-devel
 BuildRequires:	multiarch-utils
 BuildRequires:	java-devel
 BuildRequires:	jpeg-devel
 %if 0%{jsoncpp}
 BuildRequires:	jsoncpp-devel
 %endif
 BuildRequires:	pam-devel
-BuildRequires:	%{python2}
+BuildRequires:	python3
 BuildRequires:	snappy-devel
 BuildRequires:	speech-dispatcher-devel
 BuildRequires:	pkgconfig(alsa)
@ -197,9 +168,6 @@ BuildRequires:	pkgconfig(krb5)
 BuildRequires:	pkgconfig(krb5-gssapi)
 %endif
 BuildRequires:	pkgconfig(expat)
 %if 0%{?ffmpeg}
 BuildRequires:	pkgconfig(libavcodec) >= 4.0.2
 %endif
 BuildRequires:	pkgconfig(flac)
 BuildRequires:	pkgconfig(fontconfig)
 BuildRequires:	pkgconfig(freetype2)
@ -208,32 +176,21 @@ BuildRequires:	pkgconfig(gconf-2.0)
 BuildRequires:	pkgconfig(gl)
 BuildRequires:	pkgconfig(glib-2.0)
 BuildRequires:	pkgconfig(glu)
 BuildRequires:	pkgconfig(gnome-keyring-1)
 BuildRequires:	pkgconfig(gstreamer-plugins-base-1.0)
 BuildRequires:	pkgconfig(gtk+-3.0)
 BuildRequires:	pkgconfig(harfbuzz)
 %if 0%{icu}
 BuildRequires:	pkgconfig(icu-i18n)
 %endif
 BuildRequires:	pkgconfig(libexif)
 BuildRequires:	pkgconfig(libgcrypt)
 BuildRequires:	pkgconfig(libmtp)
 BuildRequires:	pkgconfig(libopenjp2)
 BuildRequires:	pkgconfig(libpci)
 %if %{without native_libpng}
 BuildRequires:	pkgconfig(libpng)
 %endif
 BuildRequires:	pkgconfig(libpulse)
 BuildRequires:	pkgconfig(libtiff-4)
 BuildRequires:	pkgconfig(libusb-1.0)
 BuildRequires:	pkgconfig(libxml-2.0)
 BuildRequires:	pkgconfig(libxslt)
 BuildRequires:	pkgconfig(libva)
 BuildRequires:	pkgconfig(glesv2)
 BuildRequires:	pkgconfig(minizip)
 BuildRequires:	pkgconfig(nspr)
 BuildRequires:	pkgconfig(nss)
 BuildRequires:	pkgconfig(opus)
 %if %{mdvver} >= 201910
 # Upstream Chromium is comatible with 0.2, we patch for 0.3
 BuildRequires:	pkgconfig(libpipewire-0.3)
@ -250,10 +207,11 @@ BuildRequires:	pythonegg(setuptools)
 BuildRequires:	chrpath
 %endif
 Requires:	chromium-codecs = %{EVRD}
 %if %{mdvver} <= 201610
 Conflicts:	chromium-widevinecdm-plugin < 54
 Obsoletes:	chromium-widevinecdm-plugin < 54
 Conflicts:	%{crname}-beta
 Conflicts:	%{crname}-unstable
 # There was a dummy empty package chromium-browser
 # which depended from chromium-browser-stable and nothing more.
 # We decided to remove that package.
@ -261,6 +219,8 @@ Conflicts:	%{crname}-unstable
 Obsoletes:	%{crname} < 1:%{version}-%{release}
 Provides:	%{crname} = 1:%{version}-%{release}
 Obsoletes:	chromium-gost-lib < 78.0.3904.70
 %endif
 %if %{with gost}
 Provides:	chromium-gost-lib = %{EVRD}
 %endif
@ -284,6 +244,7 @@ if proprietary CryptoPro is installed.
 %{_crdir}/chromium-wrapper
 %{_crdir}/chrome
 %{_crdir}/chrome-sandbox
 %{_crdir}/crashpad_handler
 %{_crdir}/icudtl.dat
 %{_crdir}/locales
 %{_crdir}/*.pak
@ -308,6 +269,25 @@ fi
 #----------------------------------------------------------------------------
 %package -n chromium-codecs
 Summary:	FFmpeg library for supporting media codecs in Chromium-based browsers
 # alike Ubuntu
 Provides:	chromium-codecs-ffmpeg-extra = %{EVRD}
 Provides:	chromium-codecs-ffmpeg = %{EVRD}
 %description -n chromium-codecs
 FFmpeg (libffmpeg.so) for Chromium-based browsers.
 This packaged is build from Chromium's bundled FFmpeg
 with proprietary codecs turned on.
 %files -n chromium-codecs
 %{_crdir}/libffmpeg.so
 %if "%{_lib}" != "lib"
 %{_crdir_compat}/libffmpeg.so
 %endif
 #----------------------------------------------------------------------------
 %package -n chromedriver
 Summary:	WebDriver for Google Chrome/Chromium
 Group:		Development/Other
@ -338,10 +318,13 @@ sed -i \
 	-e "s,^#include <../ssl/internal.h>,#include \"${PWD}/third_party/boringssl/src/ssl/internal.h\",g" \
 	%{_gostsourcedir}/src/gostssl.cpp
 tar -C %{_gostsourcedir}/src/msspi --strip 1 -xf %{SOURCE1102}
-sed -i 's/ (Chromium GOST)//g' %{_gostsourcedir}/patch/chromium.patch
+sed -i'' %{_gostsourcedir}/patch/chromium.patch \
-sed -i 's/Chromium GOST/Chromium/g' %{_gostsourcedir}/patch/chromium.patch
+	-e 's/ (Chromium GOST)//g' \
 	-e 's/Chromium GOST/Chromium/g' \
 	-e 's/"chromium-gost"/"chromium-browser"/g' \
 	-e 's/"chromium-gost.desktop"/"chromium-browser.desktop"/g' \
 	--
 patch -p1 < %{_gostsourcedir}/patch/chromium.patch
 %patch1 -p1 -R
 ( cd ./third_party/boringssl/src
 patch -p1 < %{_gostsourcedir}/patch/boringssl.patch )
@ -350,32 +333,7 @@ cp -f %{_gostsourcedir}/src/msspi/src/* third_party/boringssl
 cp -f %{_gostsourcedir}/src/msspi/third_party/cprocsp/include/* third_party/boringssl/src/include
 %endif
-%patch4 -p1 -b .prefs
+%autopatch -p1
 %patch22 -p1
 %if 0%{jsoncpp}
 %patch28 -p1
 %endif
 %if 0%{?ffmpeg}
 %patch35 -p1
 %endif
 %patch190 -p1
 %if 0%{icu}
 %patch502 -p1 -b .system-icu
 %patch504 -p0 -b .icu-ver
 %endif
 %patch600 -p1
 %patch601 -p1
 %patch627 -p1
 %patch639 -p1
 %patch640 -p1
 %patch643 -p1
 %patch644 -p1
 %patch645 -p1
 %patch646 -p1
 %patch647 -p1
 %patch648 -p1
 # fatal error: 'fuzzer/FuzzedDataProvider.h' file not found
 # (Available in Clang10)
@ -413,25 +371,15 @@ export PATH="$PWD/local_bin:$PATH"
 mkdir -p third_party/node/linux/node-linux-x64/bin
 ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/node
 # (From Fedora) Get rid of the pre-built eu-strip binary, it is x86_64 and of mysterious origin
 rm -rf buildtools/third_party/eu-strip/bin/eu-strip
 ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip
 %build
 # unpack a local copy of the xcb-proto bits
 tar xf %{SOURCE20}
 export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}"
 %if 0%{?ffmpeg}
 %define system_gn_list ffmpeg
 %endif
 # flac libxslt snappy yasm zlib
 # opus
 # icu
 # libevent
 # libvpx
 # libwebp
 # System libxml must be built with icu support to be used in Chromium
 # libxml
 # handled by upstream regular build scripts? : freetype harfbuzz-ng
 # jsoncpp
 # widevinecdmadapter
 # Build error with widevinecdmadapter in 67.0.3396.62 (fixed)
 %define widevine 1
@ -491,22 +439,27 @@ export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}"
                  symbol_level=%{symbol_level} \
                  use_thin_lto=%{use_thin_lto} \
                  strip_debug_info=false \
                  is_cfi=false \
                  system_libdir="%{_lib}" \
                  icu_use_data_file=true \
                  enable_nacl=false \
                  is_nacl_glibc=false \
                  %{linker_params} \
-                  ffmpeg_branding="Chromium" \
+                  ffmpeg_branding="ChromeOS" \
                  proprietary_codecs=true \
                  is_component_ffmpeg=true \
                  is_component_build=false \
                  enable_platform_ac3_eac3_audio = true \
                  enable_mse_mpeg2ts_stream_parser=true \
                  enable_platform_hevc=true \
                  use_system_libjpeg=true \
                  use_libjpeg_turbo=false \
                  enable_widevine=%{is_widevine} \
                  enable_vulkan=true \
                  use_pulseaudio=true \
                  link_pulseaudio=true \
                  %{pipewire_enablement} \
                  use_gnome_keyring=false \
                  use_allocator="none" \
                  treat_warnings_as_errors=false \
                  fatal_linker_warnings=false \
@ -529,7 +482,10 @@ export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}"
 #clang_base_path="//third_party/llvm-build/Release+Asserts" \
-%{__python} build/linux/unbundle/replace_gn_files.py --system-libraries %{system_gn_list}
+%{__python} build/linux/unbundle/replace_gn_files.py --system-libraries \
 	freetype \
 	fontconfig \
 	libdrm
 %{__python} third_party/libaddressinput/chromium/tools/update-strings.py
 # (From Fedora)
@ -603,7 +559,7 @@ out/Release/gn gen --script-executable=%{__python} --args='%{gn_config}' out/Rel
 pushd out/Release
 # widevinecdmadapter
-ninja %{_smp_mflags} %{?_with_verbose:--verbose} chrome chrome_sandbox chromedriver
+ninja %{_smp_mflags} %{?_with_verbose:--verbose} chrome chrome_sandbox chromedriver libffmpeg.so
 popd
 %install
@ -613,10 +569,17 @@ mkdir -p %{buildroot}%{_crdir}/themes
 install -m 755 %{SOURCE1} %{buildroot}%{_crdir}/chromium-wrapper
 install -m 755 out/Release/chrome %{buildroot}%{_crdir}/
 install -m 4755 out/Release/chrome_sandbox %{buildroot}%{_crdir}/chrome-sandbox
 install -m 755 out/Release/crashpad_handler %{buildroot}%{_crdir}/crashpad_handler
 cp -a out/Release/chromedriver %{buildroot}%{_crdir}/chromedriver
 install -m 644 out/Release/*.pak %{buildroot}%{_crdir}/
 install -m 644 out/Release/icudtl.dat %{buildroot}%{_crdir}/
 install -m 0755 out/Release/libffmpeg.so %{buildroot}%{_crdir}/
 %if "%{_lib}" != "lib"
 mkdir -p %{buildroot}%{_crdir_compat}
 ln -sr %{buildroot}%{_crdir}/libffmpeg.so %{buildroot}%{_crdir_compat}/libffmpeg.so
 %endif
 install -m 644 out/Release/locales/*.pak %{buildroot}%{_crdir}/locales/
 install -m 644 out/Release/resources.pak %{buildroot}%{_crdir}/
 ln -s %{_crdir}/chromium-wrapper %{buildroot}%{_bindir}/%{crname}
--- a/chromium-buildname-60.0.3112.90.patch
+++ b/chromium-buildname-60.0.3112.90.patch
@ -1,11 +0,0 @@
 --- chromium-60.0.3112.20.old/components/version_ui_strings.grdp	2017-06-08 16:55:00.495103433 +0200
 +++ chromium-60.0.3112.20/components/version_ui_strings.grdp	2017-06-08 16:55:36.027102220 +0200
@@ -7,7 +7,7 @@
     Official Build
   </message>
   <message name="IDS_VERSION_UI_UNOFFICIAL" desc="unofficial build on the about:version page">
 -    Developer Build
 +    Сборка ROSA
   </message>
   <message name="IDS_VERSION_UI_32BIT" desc="32-bit on the chrome://version page">
     (32-bit)
--- a/chromium-system-icu-r0.patch
+++ b/chromium-system-icu-r0.patch
@ -1,11 +0,0 @@
 --- components/autofill/core/common/autofill_l10n_util.cc.orig	2015-12-07 11:46:37.738740329 +0000
 +++ components/autofill/core/common/autofill_l10n_util.cc	2015-12-07 11:46:44.574878953 +0000
@@ -22,7 +22,7 @@
     // library. This could be due to a device-specific issue (has been seen in
     // the wild on Android devices). In the failure case, |collator_| will be
     // null. See http://crbug.com/558625.
 -    icu_54::UnicodeString name;
 +    icu::UnicodeString name;
     std::string locale_name;
     locale.getDisplayName(name).toUTF8String(locale_name);
     LOG(ERROR) << "Failed to initialize the ICU Collator for "
--- a/enable-vaapi-on-linux.diff
+++ b/enable-vaapi-on-linux.diff
@ -1,144 +0,0 @@
 From 53b93dfe87fd10cced5d2a2a63072dfc7a2af6e4 Mon Sep 17 00:00:00 2001
 From: Daniel Charles <daniel.charles@intel.com>
 Date: Fri, 28 Jul 2017 16:31:47 -0700
 Subject: [PATCH] Enable VAVDA, VAVEA and VAJDA on linux with VAAPI only
 This patch contains all the changes necessary to use VA-API along with
 vaapi-driver to run all media use cases supported with hardware acceleration.
 It is intended to remain as experimental accessible from chrome://flags on linux.
 It requires libva/intel-vaapi-driver to be installed on the system path where
 chrome is executed.  Other drivers could be tested if available. Flags are
 kept independent for linux, where this feature has to be enabled before
 actually using it.  This should not change how other OSes use the flags
 already, the new flags will show at the buttom on the section of unavailable
 experiments
 The changes cover a range of compiler pre-processor flags to enable the stack.
 It moves the presandbox operations to the vaapi_wrapper class as the hook function
 is available there. vaInit will open driver on the correct installed folder.
 chrome flags consolidtation into only two flags for linux.  Mjpeg and accelerated
 video are used.  The other flags are kept for ChromeOS and other OSes.
 Developer testing was made on skylake hardware, ChromeOS and Ubuntu.
 BUG=NONE
 TEST="subjective testing with VAVDA,VAVEA and VAJDA, autotest for encoder"
 TEST="and decoder hardware accelerated"
 TEST="have libva/intel-vaapi-driver installed and not installed in the system"
 TEST="repeat on different hardware families"
 R=posciak@chromium.org
 R=kcwu@chromium.org
 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
 Change-Id: Ifbbf5c9e5221a8b5733fc6d4d0cf984a1f103171
 Signed-off-by: Daniel Charles <daniel.charles@intel.com>
 ---
 Index: dev/content/gpu/BUILD.gn
 ===================================================================
 --- dev.orig/content/gpu/BUILD.gn
 +++ dev/content/gpu/BUILD.gn
@@ -6,6 +6,7 @@ import("//build/config/chromeos/ui_mode.
 import("//build/config/ui.gni")
 import("//gpu/vulkan/features.gni")
 import("//media/media_options.gni")
 +import("//media/gpu/args.gni")
 # See //content/BUILD.gn for how this works.
 group("gpu") {
@@ -140,4 +141,8 @@ target(link_target_type, "gpu_sources")
       (!is_chromecast || is_cast_desktop_build)) {
     configs += [ "//build/config/linux/dri" ]
   }
 +
 +  if (is_linux && use_vaapi) {
 +    public_configs = [ "//build/config/linux/libva" ]
 +  }
 }
 Index: dev/media/gpu/gpu_video_decode_accelerator_factory.cc
 ===================================================================
 --- dev.orig/media/gpu/gpu_video_decode_accelerator_factory.cc
 +++ dev/media/gpu/gpu_video_decode_accelerator_factory.cc
@@ -164,6 +164,8 @@ GpuVideoDecodeAcceleratorFactory::Create
     vda = (this->*create_vda_function)(workarounds, gpu_preferences, media_log);
     if (vda && vda->Initialize(config, client))
       return vda;
 +    else
 +      LOG(ERROR) << "Initialization of one or more VDAs failed.";
   }
   return nullptr;
@@ -222,6 +224,7 @@ GpuVideoDecodeAcceleratorFactory::Create
     const gpu::GpuDriverBugWorkarounds& workarounds,
     const gpu::GpuPreferences& gpu_preferences,
     MediaLog* media_log) const {
 +  LOG(WARNING) << "Initializing VAAPI VDA.";
   std::unique_ptr<VideoDecodeAccelerator> decoder;
   decoder.reset(new VaapiVideoDecodeAccelerator(gl_client_.make_context_current,
                                                 gl_client_.bind_image));
 Index: dev/media/gpu/ipc/service/gpu_video_decode_accelerator.cc
 ===================================================================
 --- dev.orig/media/gpu/ipc/service/gpu_video_decode_accelerator.cc
 +++ dev/media/gpu/ipc/service/gpu_video_decode_accelerator.cc
@@ -384,6 +384,7 @@ bool GpuVideoDecodeAccelerator::Initiali
     LOG(ERROR) << "Failed creating the VDA factory";
     return false;
   }
 +  LOG(WARNING) << "Created the VDA factory";
   const gpu::GpuDriverBugWorkarounds& gpu_workarounds =
       stub_->channel()->gpu_channel_manager()->gpu_driver_bug_workarounds();
@@ -404,6 +405,7 @@ bool GpuVideoDecodeAccelerator::Initiali
                << (config.is_encrypted() ? " with encryption" : "");
     return false;
   }
 +  LOG(WARNING) << "Created VDA";
   // Attempt to set up performing decoding tasks on IO thread, if supported by
   // the VDA.
 Index: dev/media/gpu/vaapi/vaapi_wrapper.cc
 ===================================================================
 --- dev.orig/media/gpu/vaapi/vaapi_wrapper.cc
 +++ dev/media/gpu/vaapi/vaapi_wrapper.cc
@@ -526,6 +526,11 @@ void VADisplayState::PreSandboxInitializ
       base::File::FLAG_OPEN | base::File::FLAG_READ | base::File::FLAG_WRITE);
   if (drm_file.IsValid())
     VADisplayState::Get()->SetDrmFd(drm_file.GetPlatformFile());
 +
 +  const char kNvidiaPath[] = "/dev/dri/nvidiactl";
 +  base::File nvidia_file = base::File(
 +      base::FilePath::FromUTF8Unsafe(kNvidiaPath),
 +      base::File::FLAG_OPEN | base::File::FLAG_READ | base::File::FLAG_WRITE);
 }
 VADisplayState::VADisplayState()
@@ -632,10 +637,6 @@ bool VADisplayState::InitializeVaDriver_
 }
 bool VADisplayState::InitializeOnce() {
 -  static_assert(
 -      VA_MAJOR_VERSION >= 2 || (VA_MAJOR_VERSION == 1 && VA_MINOR_VERSION >= 1),
 -      "Requires VA-API >= 1.1.0");
 -
   // Set VA logging level, unless already set.
   constexpr char libva_log_level_env[] = "LIBVA_MESSAGING_LEVEL";
   std::unique_ptr<base::Environment> env(base::Environment::Create());
@@ -656,7 +657,6 @@ bool VADisplayState::InitializeOnce() {
     // https://github.com/intel/media-driver/issues/818
     if (!env->HasVar(libva_driver_impl_env))
       env->SetVar(libva_driver_impl_env, "i965");
 -
     // Re-initialize with the new driver.
     va_display_ = nullptr;
     va_initialized_ = false;
@@ -864,7 +864,7 @@ bool AreAttribsSupported(const base::Loc
     if (attribs[i].type != required_attribs[i].type ||
         (attribs[i].value & required_attribs[i].value) !=
             required_attribs[i].value) {
 -      DVLOG(1) << "Unsupported value " << required_attribs[i].value << " for "
 +      VLOG(1) << "Unsupported value " << required_attribs[i].value << " for "
                << vaConfigAttribTypeStr(required_attribs[i].type);
       return false;
     }
--- a/master_preferences.json
+++ b/master_preferences.json
--- a/rename-python-to-python2.patch
+++ b/rename-python-to-python2.patch
@ -0,0 +1,86 @@
 Index: dev/tools/gn/bootstrap/bootstrap.py
 ===================================================================
 --- dev.orig/tools/gn/bootstrap/bootstrap.py
 +++ dev/tools/gn/bootstrap/bootstrap.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/env python
 +#!/usr/bin/env python3
 # Copyright 2014 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 Index: dev/tools/generate_stubs/generate_stubs.py
 ===================================================================
 --- dev.orig/tools/generate_stubs/generate_stubs.py
 +++ dev/tools/generate_stubs/generate_stubs.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/env python
 +#!/usr/bin/env python3
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 Index: dev/tools/gn/build/gen.py
 ===================================================================
 --- dev.orig/tools/gn/build/gen.py
 +++ dev/tools/gn/build/gen.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/env python
 +#!/usr/bin/env python3
 # Copyright 2014 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 Index: dev/tools/gn/src/gn/setup.cc
 ===================================================================
 --- dev.orig/tools/gn/src/gn/setup.cc
 +++ dev/tools/gn/src/gn/setup.cc
@@ -795,7 +795,7 @@ bool Setup::FillPythonPath(const base::C
     }
     build_settings_.set_python_path(python_path);
 #else
 -    build_settings_.set_python_path(base::FilePath("python"));
 +    build_settings_.set_python_path(base::FilePath("python2"));
 #endif
   }
   return true;
 Index: dev/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py
 ===================================================================
 --- dev.orig/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py
 +++ dev/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py
@@ -83,7 +83,7 @@ def _MinifyJS(input_js):
   with tempfile.NamedTemporaryFile() as _:
     args = [
 -        sys.executable,
 +        'python3',
         rjsmin_path
     ]
     p = subprocess.Popen(args,
 Index: dev/ui/gfx/x/gen_xproto.py
 ===================================================================
 --- dev.orig/ui/gfx/x/gen_xproto.py
 +++ dev/ui/gfx/x/gen_xproto.py
@@ -1087,7 +1087,7 @@ class GenXproto(FileWriter):
         self.resolve_element(t.elt, fields)
 -        for field in fields.values():
 +        for field in list(fields.values()):
             if field.field_name == 'sequence':
                 field.visible = True
             field.parent = (t, name)
@@ -1629,8 +1630,14 @@ def main():
     args = parser.parse_args()
     sys.path.insert(1, args.xcbproto_dir)
 -    import xcbgen.xtypes
 -    import xcbgen.state
 +    try:
 +        import xcbgen.xtypes
 +        import xcbgen.state
 +    except:
 +        if sys.version_info < (3, 0):
 +            import subprocess
 +            subprocess.check_call(["python3"] + sys.argv)
 +            return 0
     all_types = {}
     proto_src_dir = os.path.join(args.xcbproto_dir, 'src')
--- a/vdpau-support.patch
+++ b/vdpau-support.patch
@ -1,152 +0,0 @@
 Taken from https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi
 Index: dev/media/gpu/vaapi/vaapi_video_decode_accelerator.cc
 ===================================================================
 --- dev.orig/media/gpu/vaapi/vaapi_video_decode_accelerator.cc
 +++ dev/media/gpu/vaapi/vaapi_video_decode_accelerator.cc
@@ -711,7 +711,8 @@ void VaapiVideoDecodeAccelerator::Assign
   // implementation we get from |vaapi_picture_factory_| requires the video
   // processing pipeline for downloading the decoded frame from the internal
   // surface, we need to create a |vpp_vaapi_wrapper_|.
 -  if (requires_vpp && buffer_allocation_mode_ != BufferAllocationMode::kNone) {
 +  if (requires_vpp && buffer_allocation_mode_ != BufferAllocationMode::kNone &&
 +      buffer_allocation_mode_ != BufferAllocationMode::kWrapVdpau) {
     if (!vpp_vaapi_wrapper_) {
       vpp_vaapi_wrapper_ = VaapiWrapper::Create(
           VaapiWrapper::kVideoProcess, VAProfileNone,
@@ -1226,6 +1227,12 @@ VaapiVideoDecodeAccelerator::DecideBuffe
     return BufferAllocationMode::kReduced;
   return BufferAllocationMode::kSuperReduced;
 #else
 +  // NVIDIA blobs use VDPAU
 +  if (VaapiWrapper::GetImplementationType() == VAImplementation::kNVIDIAVDPAU) {
 +    LOG(INFO) << "VA-API driver on VDPAU backend";
 +    return BufferAllocationMode::kWrapVdpau;
 +  }
 +
   // TODO(crbug.com/912295): Enable a better BufferAllocationMode for IMPORT
   // |output_mode_| as well.
   if (output_mode_ == VideoDecodeAccelerator::Config::OutputMode::IMPORT)
@@ -1236,7 +1243,7 @@ VaapiVideoDecodeAccelerator::DecideBuffe
   // associated format reconciliation copy, avoiding all internal buffer
   // allocations.
   // TODO(crbug.com/911754): Enable for VP9 Profile 2.
 -  if (IsGeminiLakeOrLater() &&
 +  if (false && IsGeminiLakeOrLater() &&
       (profile_ == VP9PROFILE_PROFILE0 || profile_ == VP8PROFILE_ANY ||
        (profile_ >= H264PROFILE_MIN && profile_ <= H264PROFILE_MAX))) {
     // Add one to the reference frames for the one being currently egressed, and
 Index: dev/media/gpu/vaapi/vaapi_video_decode_accelerator.h
 ===================================================================
 --- dev.orig/media/gpu/vaapi/vaapi_video_decode_accelerator.h
 +++ dev/media/gpu/vaapi/vaapi_video_decode_accelerator.h
@@ -217,6 +217,7 @@ class MEDIA_GPU_EXPORT VaapiVideoDecodeA
     // Using |client_|s provided PictureBuffers and as many internally
     // allocated.
     kNormal,
 +    kWrapVdpau,
   };
   // Decides the concrete buffer allocation mode, depending on the hardware
 Index: dev/media/gpu/vaapi/vaapi_wrapper.cc
 ===================================================================
 --- dev.orig/media/gpu/vaapi/vaapi_wrapper.cc
 +++ dev/media/gpu/vaapi/vaapi_wrapper.cc
@@ -240,6 +240,9 @@ media::VAImplementation VendorStringToIm
   } else if (base::StartsWith(va_vendor_string, "Intel iHD driver",
                               base::CompareCase::SENSITIVE)) {
     return media::VAImplementation::kIntelIHD;
 +  } else if (base::StartsWith(va_vendor_string, "Splitted-Desktop Systems VDPAU",
 +                              base::CompareCase::SENSITIVE)) {
 +    return media::VAImplementation::kNVIDIAVDPAU;
   }
   return media::VAImplementation::kOther;
 }
@@ -1977,6 +1980,11 @@ VaapiWrapper::ExportVASurfaceAsNativePix
     return nullptr;
   }
 +  if (GetImplementationType() == VAImplementation::kNVIDIAVDPAU) {
 +    LOG(ERROR) << "Disabled due to potential breakage.";
 +    return nullptr;
 +  }
 +
   VADRMPRIMESurfaceDescriptor descriptor;
   {
     base::AutoLock auto_lock(*va_lock_);
@@ -2680,32 +2688,43 @@ bool VaapiWrapper::CreateSurfaces(unsign
   DCHECK(va_surfaces->empty());
   va_surfaces->resize(num_surfaces);
 +
   VASurfaceAttrib attribute{};
 -  attribute.type = VASurfaceAttribUsageHint;
 -  attribute.flags = VA_SURFACE_ATTRIB_SETTABLE;
 -  attribute.value.type = VAGenericValueTypeInteger;
 -  switch (usage_hint) {
 -    case SurfaceUsageHint::kVideoDecoder:
 -      attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_DECODER;
 -      break;
 -    case SurfaceUsageHint::kVideoEncoder:
 -      attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_ENCODER;
 -      break;
 -    case SurfaceUsageHint::kVideoProcessWrite:
 -      attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_VPP_WRITE;
 -      break;
 -    case SurfaceUsageHint::kGeneric:
 -      attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_GENERIC;
 -      break;
 +  if (GetImplementationType() != VAImplementation::kNVIDIAVDPAU) {
 +    // Nvidia's VAAPI-VDPAU driver doesn't support this attribute
 +    attribute.type = VASurfaceAttribUsageHint;
 +    attribute.flags = VA_SURFACE_ATTRIB_SETTABLE;
 +    attribute.value.type = VAGenericValueTypeInteger;
 +    switch (usage_hint) {
 +      case SurfaceUsageHint::kVideoDecoder:
 +        attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_DECODER;
 +        break;
 +      case SurfaceUsageHint::kVideoEncoder:
 +        attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_ENCODER;
 +        break;
 +      case SurfaceUsageHint::kVideoProcessWrite:
 +        attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_VPP_WRITE;
 +        break;
 +      case SurfaceUsageHint::kGeneric:
 +        attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_GENERIC;
 +        break;
 +    }
   }
   VAStatus va_res;
   {
     base::AutoLock auto_lock(*va_lock_);
 -    va_res = vaCreateSurfaces(
 -        va_display_, va_format, base::checked_cast<unsigned int>(size.width()),
 -        base::checked_cast<unsigned int>(size.height()), va_surfaces->data(),
 -        num_surfaces, &attribute, 1u);
 +    if (GetImplementationType() == VAImplementation::kNVIDIAVDPAU) {
 +      va_res = vaCreateSurfaces(
 +          va_display_, va_format, base::checked_cast<unsigned int>(size.width()),
 +          base::checked_cast<unsigned int>(size.height()), va_surfaces->data(),
 +          num_surfaces, NULL, 0);
 +    } else {
 +      va_res = vaCreateSurfaces(
 +          va_display_, va_format, base::checked_cast<unsigned int>(size.width()),
 +          base::checked_cast<unsigned int>(size.height()), va_surfaces->data(),
 +          num_surfaces, &attribute, 1u);
 +    }
   }
   VA_LOG_ON_ERROR(va_res, VaapiFunctions::kVACreateSurfaces_Allocating);
   return va_res == VA_STATUS_SUCCESS;
 Index: dev/media/gpu/vaapi/vaapi_wrapper.h
 ===================================================================
 --- dev.orig/media/gpu/vaapi/vaapi_wrapper.h
 +++ dev/media/gpu/vaapi/vaapi_wrapper.h
@@ -92,6 +92,7 @@ enum class VAImplementation {
   kIntelIHD,
   kOther,
   kInvalid,
 +  kNVIDIAVDPAU,
 };
 // This class handles VA-API calls and ensures proper locking of VA-API calls