electron/patches/chromium/support_mixed_sandbox_with_zygote.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Wed, 28 Nov 2018 13:20:27 -0800
Subject: support_mixed_sandbox_with_zygote.patch

On Linux, Chromium launches all new renderer processes via a "zygote"
process which has the sandbox pre-initialized (see
//docs/linux_zygote.md). In order to support mixed-sandbox mode, in
which some renderers are launched with the sandbox engaged and others
without it, we need the option to launch non-sandboxed renderers without
going through the zygote.

Chromium already supports a `--no-zygote` flag, but it turns off the
zygote completely, and thus also disables sandboxing. This patch allows
the `--no-zygote` flag to affect renderer processes on a case-by-case
basis, checking immediately prior to launch whether to go through the
zygote or not based on the command-line of the to-be-launched renderer.

This patch could conceivably be upstreamed, as it does not affect
production Chromium (which does not use the `--no-zygote` flag).
However, the patch would need to be reviewed by the security team, as it
does touch a security-sensitive class.

diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index 70e105df714f0dda581b442fd9a54b7241815430..71e6b162a8e56e63731b61c171c20d134e7e8b47 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -411,6 +411,11 @@ class RendererSandboxedProcessLauncherDelegate
   {
   }
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  RendererSandboxedProcessLauncherDelegate(bool use_zygote):
+    use_zygote_(use_zygote) {}
+#endif
+
   ~RendererSandboxedProcessLauncherDelegate() override {}
 
 #if defined(OS_WIN)
@@ -432,6 +437,9 @@ class RendererSandboxedProcessLauncherDelegate
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
   service_manager::ZygoteHandle GetZygote() override {
+    if (!use_zygote_) {
+      return nullptr;
+    }
     const base::CommandLine& browser_command_line =
         *base::CommandLine::ForCurrentProcess();
     base::CommandLine::StringType renderer_prefix =
@@ -446,10 +454,13 @@ class RendererSandboxedProcessLauncherDelegate
     return service_manager::SANDBOX_TYPE_RENDERER;
   }
 
-#if defined(OS_WIN)
  private:
+#if defined(OS_WIN)
   const bool renderer_code_integrity_enabled_;
 #endif
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  bool use_zygote_ = true;
+#endif
 };
 
 const char kSessionStorageHolderKey[] = "kSessionStorageHolderKey";
@@ -1705,11 +1716,18 @@ bool RenderProcessHostImpl::Init() {
       cmd_line->PrependWrapper(renderer_prefix);
     AppendRendererCommandLine(cmd_line.get());
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+    bool use_zygote = !cmd_line->HasSwitch(switches::kNoZygote);
+    auto delegate = std::make_unique<RendererSandboxedProcessLauncherDelegate>(use_zygote);
+#else
+    auto delegate = std::make_unique<RendererSandboxedProcessLauncherDelegate>();
+#endif
+
     // Spawn the child process asynchronously to avoid blocking the UI thread.
     // As long as there's no renderer prefix, we can use the zygote process
     // at this stage.
     child_process_launcher_ = std::make_unique<ChildProcessLauncher>(
-        std::make_unique<RendererSandboxedProcessLauncherDelegate>(),
+        std::move(delegate),
         std::move(cmd_line), GetID(), this, std::move(mojo_invitation_),
         base::BindRepeating(&RenderProcessHostImpl::OnMojoError, id_));
     channel_->Pause();