From 07f550a7488924464a4d5c1fa74acf55c8622bcb Mon Sep 17 00:00:00 2001 From: Hari Juturu Date: Thu, 8 Jun 2017 23:29:35 -0700 Subject: [PATCH] enable-mixed-sandbox option --- atom/app/atom_main_delegate.cc | 15 ++++++++++----- atom/browser/web_contents_preferences.cc | 11 ++++------- atom/common/options_switches.cc | 3 +++ atom/common/options_switches.h | 1 + 4 files changed, 18 insertions(+), 12 deletions(-) diff --git a/atom/app/atom_main_delegate.cc b/atom/app/atom_main_delegate.cc index 7d29034be87a..9516a20bfe4e 100644 --- a/atom/app/atom_main_delegate.cc +++ b/atom/app/atom_main_delegate.cc @@ -125,11 +125,16 @@ void AtomMainDelegate::PreSandboxStartup() { // Only append arguments for browser process. if (!IsBrowserProcess(command_line)) return; - - if (command_line->HasSwitch(switches::kEnableSandbox)) { - // Disable setuid sandbox since it is not longer required on linux(namespace - // sandbox is available on most distros). - command_line->AppendSwitch(::switches::kDisableSetuidSandbox); + + if (!command_line->HasSwitch(switches::kEnableMixedSandbox)) { + if (command_line->HasSwitch(switches::kEnableSandbox)) { + // Disable setuid sandbox since it is not longer required on linux(namespace + // sandbox is available on most distros). + command_line->AppendSwitch(::switches::kDisableSetuidSandbox); + } else { + // Disable renderer sandbox for most of node's functions. + command_line->AppendSwitch(::switches::kNoSandbox); + } } // Allow file:// URIs to read other file:// URIs by default. diff --git a/atom/browser/web_contents_preferences.cc b/atom/browser/web_contents_preferences.cc index 26ff3d703381..b651ee85147e 100644 --- a/atom/browser/web_contents_preferences.cc +++ b/atom/browser/web_contents_preferences.cc @@ -108,14 +108,11 @@ void WebContentsPreferences::AppendExtraCommandLineSwitches( command_line->AppendSwitchASCII(switches::kWebviewTag, webview_tag ? "true" : "false"); - if (IsSandboxed(web_contents)) { - // pass `--enable-sandbox` to the renderer so it won't have any node.js - // integration. + // If the `sandbox` option was passed to the BrowserWindow's webPreferences, + // pass `--enable-sandbox` to the renderer so it won't have any node.js + // integration. + if (IsSandboxed(web_contents)) command_line->AppendSwitch(switches::kEnableSandbox); - } else { - // Disable renderer sandbox for most of node's functions. - command_line->AppendSwitch(::switches::kNoSandbox); - } if (web_preferences.GetBoolean("nativeWindowOpen", &b) && b) command_line->AppendSwitch(switches::kNativeWindowOpen); diff --git a/atom/common/options_switches.cc b/atom/common/options_switches.cc index ce63fc716a3a..f63c1d95d0bb 100644 --- a/atom/common/options_switches.cc +++ b/atom/common/options_switches.cc @@ -138,6 +138,9 @@ namespace switches { // Enable chromium sandbox. const char kEnableSandbox[] = "enable-sandbox"; +// Enable sandbox in only remote content windows. +const char kEnableMixedSandbox[] = "enable-mixed-sandbox"; + // Enable plugins. const char kEnablePlugins[] = "enable-plugins"; diff --git a/atom/common/options_switches.h b/atom/common/options_switches.h index 6fda408ee5ce..171583ec2a87 100644 --- a/atom/common/options_switches.h +++ b/atom/common/options_switches.h @@ -74,6 +74,7 @@ extern const char kWebviewTag[]; namespace switches { extern const char kEnableSandbox[]; +extern const char kEnableMixedSandbox[]; extern const char kEnablePlugins[]; extern const char kPpapiFlashPath[]; extern const char kPpapiFlashVersion[];