feat: apply patches to harden system (part 2)

* feat: require a password for sudo every time it's called

* feat: add hardened chromium config

Everything was taken from here: https://github.com/secureblue/secureblue

config/common_modules/scripts.yml

@@ -1,5 +1,6 @@
 type: script
 scripts:
+  - file-permissions.sh
   - system76-scheduler.sh
   - brave-browser.sh
   - systemwide-themes.sh

config/files/usr/etc/chromium/chromium.conf

@@ -0,0 +1,3 @@
+# system wide chromium flags
+CHROMIUM_FLAGS=""
+CHROMIUM_FLAGS+=" --ozone-platform=wayland"

config/files/usr/etc/chromium/policies/managed/hardening.json

@@ -0,0 +1,24 @@
+{
+    "DefaultSensorsSetting": 2,
+    "EnableMediaRouter": false,
+    "SuggestedContentEnabled": false,
+    "AccessibilityImageLabelsEnabled": false,
+    "BackgroundModeEnabled": false,
+    "BlockThirdPartyCookies": true,
+    "ChromeCleanupReportingEnabled": false,
+    "ClickToCallEnabled": false,
+    "HttpsOnlyMode": "force_enabled",
+    "MediaRecommendationsEnabled": false,
+    "MetricsReportingEnabled": false,
+    "NetworkPredictionOptions": 2,
+    "PaymentMethodQueryEnabled": false,
+    "PromotionalTabsEnabled": false,
+    "RemoteDebuggingAllowed": false,
+    "SharedClipboardEnabled": false,
+    "ShowFullUrlsInAddressBar": true,
+    "SyncDisabled": true,
+    "TranslateEnabled": false,
+    "UrlKeyedAnonymizedDataCollectionEnabled": false,
+    "WebRtcEventLogCollectionAllowed": false,
+    "WebRtcIPHandling": "disable_non_proxied_udp"
+}

config/files/usr/etc/sudoers.d/timeout

@@ -0,0 +1 @@
+Defaults    timestamp_timeout = 0

config/scripts/file-permissions.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -euo pipefail
+
+chmod 440 /usr/etc/sudoers.d/timeout