feat: support mixed-sandbox mode on linux (#15870)

2018-12-05 17:42:12 -08:00 · 2018-12-05 17:42:12 -08:00 · 2845267c18
commit 2845267c18
parent 764a10f7c7
4 changed files with 98 additions and 7 deletions
--- a/spec/api-app-spec.js
+++ b/spec/api-app-spec.js
@ -914,13 +914,21 @@ describe('app module', () => {
    const socketPath = process.platform === 'win32' ? '\\\\.\\pipe\\electron-mixed-sandbox' : '/tmp/electron-mixed-sandbox'

    beforeEach(function (done) {
-      // XXX(alexeykuzmin): Calling `.skip()` inside a `before` hook
-      // doesn't affect nested `describe`s.
-      // FIXME Get these specs running on Linux
-      if (process.platform === 'linux') {
+      if (process.platform === 'linux' && (process.arch === 'arm64' || process.arch === 'arm')) {
+        // Our ARM tests are run on VSTS rather than CircleCI, and the Docker
+        // setup on VSTS disallows syscalls that Chrome requires for setting up
+        // sandboxing.
+        // See:
+        // - https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
+        // - https://chromium.googlesource.com/chromium/src/+/70.0.3538.124/sandbox/linux/services/credentials.cc#292
+        // - https://github.com/docker/docker-ce/blob/ba7dfc59ccfe97c79ee0d1379894b35417b40bca/components/engine/profiles/seccomp/seccomp_default.go#L497
+        // - https://blog.jessfraz.com/post/how-to-use-new-docker-seccomp-profiles/
+        //
+        // Adding `--cap-add SYS_ADMIN` or `--security-opt seccomp=unconfined`
+        // to the Docker invocation allows the syscalls that Chrome needs, but
+        // are probably more permissive than we'd like.
        this.skip()
      }
-
      fs.unlink(socketPath, () => {
        server = net.createServer()
        server.listen(socketPath)