From 4250f842722a15a64bff4d3a5c1995680d595ebc Mon Sep 17 00:00:00 2001 From: Jeremy Apthorp Date: Wed, 12 Dec 2018 16:01:10 -0800 Subject: [PATCH] chore: enable v2 sandbox on mac (#15647) --- BUILD.gn | 8 ++ atom/app/atom_main.cc | 35 ++++++++ atom/browser/atom_browser_main_parts.cc | 7 -- patches/common/chromium/.patches | 1 - ...rm_control_rendering_on_10_14_mojave.patch | 90 ------------------- 5 files changed, 43 insertions(+), 98 deletions(-) delete mode 100644 patches/common/chromium/mac_fix_form_control_rendering_on_10_14_mojave.patch diff --git a/BUILD.gn b/BUILD.gn index e885f11c8f6..a425992a5fa 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -623,7 +623,9 @@ if (is_mac) { output_name = electron_helper_name deps = [ ":electron_framework+link", + "//sandbox/mac:seatbelt", ] + defines = [ "HELPER_EXECUTABLE" ] sources = filenames.app_sources include_dirs = [ "." ] info_plist = "atom/renderer/resources/mac/Info.plist" @@ -632,6 +634,12 @@ if (is_mac) { "-rpath", "@executable_path/../../..", ] + if (is_component_build) { + ldflags += [ + "-rpath", + "@executable_path/../../../../../..", + ] + } } bundle_data("electron_app_framework_bundle_data") { diff --git a/atom/app/atom_main.cc b/atom/app/atom_main.cc index 241f0c2679c..bcf4435e75f 100644 --- a/atom/app/atom_main.cc +++ b/atom/app/atom_main.cc @@ -5,6 +5,7 @@ #include "atom/app/atom_main.h" #include +#include #include #if defined(OS_WIN) @@ -30,6 +31,7 @@ #include "atom/app/atom_main_delegate.h" // NOLINT #include "content/public/app/content_main.h" #else // defined(OS_LINUX) +#include #include #include #include "atom/app/atom_library_main.h" @@ -41,6 +43,10 @@ #include "base/i18n/icu_util.h" #include "electron/buildflags/buildflags.h" +#if defined(HELPER_EXECUTABLE) +#include "sandbox/mac/seatbelt_exec.h" // nogncheck +#endif // defined(HELPER_EXECUTABLE) + namespace { #if BUILDFLAG(ENABLE_RUN_AS_NODE) @@ -207,6 +213,35 @@ int main(int argc, char* argv[]) { } #endif +#if defined(HELPER_EXECUTABLE) + uint32_t exec_path_size = 0; + int rv = _NSGetExecutablePath(NULL, &exec_path_size); + if (rv != -1) { + fprintf(stderr, "_NSGetExecutablePath: get length failed\n"); + abort(); + } + + std::unique_ptr exec_path(new char[exec_path_size]); + rv = _NSGetExecutablePath(exec_path.get(), &exec_path_size); + if (rv != 0) { + fprintf(stderr, "_NSGetExecutablePath: get path failed\n"); + abort(); + } + sandbox::SeatbeltExecServer::CreateFromArgumentsResult seatbelt = + sandbox::SeatbeltExecServer::CreateFromArguments(exec_path.get(), argc, + argv); + if (seatbelt.sandbox_required) { + if (!seatbelt.server) { + fprintf(stderr, "Failed to create seatbelt sandbox server.\n"); + abort(); + } + if (!seatbelt.server->InitializeSandbox()) { + fprintf(stderr, "Failed to initialize sandbox.\n"); + abort(); + } + } +#endif + return AtomMain(argc, argv); } diff --git a/atom/browser/atom_browser_main_parts.cc b/atom/browser/atom_browser_main_parts.cc index 0d79671e174..c35f793fbb8 100644 --- a/atom/browser/atom_browser_main_parts.cc +++ b/atom/browser/atom_browser_main_parts.cc @@ -198,13 +198,6 @@ void AtomBrowserMainParts::InitializeFeatureList() { cmd_line->GetSwitchValueASCII(::switches::kEnableFeatures); auto disable_features = cmd_line->GetSwitchValueASCII(::switches::kDisableFeatures); -#if defined(OS_MACOSX) - // Disable the V2 sandbox on macOS. - // Chromium is going to use the system sandbox API of macOS for the sandbox - // implmentation, we may have to deprecate --mixed-sandbox for macOS once - // Chromium drops support for the old sandbox implmentation. - disable_features += std::string(",") + features::kMacV2Sandbox.name; -#endif // Disable creation of spare renderer process with site-per-process mode, // it interferes with our process preference tracking for non sandboxed mode. // Can be reenabled when our site instance policy is aligned with chromium diff --git a/patches/common/chromium/.patches b/patches/common/chromium/.patches index 599230ada82..715b6cc968b 100644 --- a/patches/common/chromium/.patches +++ b/patches/common/chromium/.patches @@ -72,6 +72,5 @@ customizable_app_indicator_id_prefix.patch cross_site_document_resource_handler.patch content_allow_embedder_to_prevent_locking_scheme_registry.patch fix_trackpad_scrolling.patch -mac_fix_form_control_rendering_on_10_14_mojave.patch support_mixed_sandbox_with_zygote.patch disable_color_correct_rendering.patch diff --git a/patches/common/chromium/mac_fix_form_control_rendering_on_10_14_mojave.patch b/patches/common/chromium/mac_fix_form_control_rendering_on_10_14_mojave.patch deleted file mode 100644 index 92bc82f13d1..00000000000 --- a/patches/common/chromium/mac_fix_form_control_rendering_on_10_14_mojave.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: deepak1556 -Date: Tue, 27 Nov 2018 04:32:18 +0530 -Subject: [Mac] Fix form control rendering on 10.14 Mojave. - -Backports https://crrev.com/c/1106298/ and https://crrev.com/c/1130163/ -with changes required for v1 sandbox on macOS. - -This can be removed after enabling seatbelt sandbox v2 - -diff --git a/services/service_manager/sandbox/mac/common.sb b/services/service_manager/sandbox/mac/common.sb -index 0e90c9ab2f61aacceb1ca60893445881339b834a..b7dc1998df0f42cc58d24f2233a929810244440e 100644 ---- a/services/service_manager/sandbox/mac/common.sb -+++ b/services/service_manager/sandbox/mac/common.sb -@@ -19,6 +19,7 @@ - (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") - (define elcap-or-later "ELCAP_OR_LATER") - (define macos-1013 "MACOS_1013") -+(define os-version (string->number (param "OS_VERSION"))) - - ; Consumes a subpath and appends it to the user's homedir path. - (define (user-homedir-path subpath) -diff --git a/services/service_manager/sandbox/mac/renderer.sb b/services/service_manager/sandbox/mac/renderer.sb -index 09f142e19c2cb2ba8fb3fbcd2df1684899ae1c16..7e56b3fa582afcaa4a4862246553c0fbdf520e6a 100644 ---- a/services/service_manager/sandbox/mac/renderer.sb -+++ b/services/service_manager/sandbox/mac/renderer.sb -@@ -12,6 +12,7 @@ - (allow mach-lookup (global-name "com.apple.FontObjectsServer")) - (allow mach-lookup (global-name "com.apple.FontServer")) - (allow mach-lookup (global-name "com.apple.fonts")) -+(allow mach-lookup (global-name "com.apple.cvmsServ")) ; https://crbug.com/850021 - (allow file-read* (extension "com.apple.app-sandbox.read")) ; https://crbug.com/662686 - - ; Allow read-only connection to launchservicesd. https://crbug.com/533537 -@@ -41,6 +42,19 @@ - (allow file-read-data (subpath "/usr/share/zoneinfo.default"))) - (allow file-read-data (subpath "/usr/share/zoneinfo"))) - -+; Reads of signed Mach-O blobs created by the CVMS server. -+; https://crbug.com/850021 -+(if (>= os-version 1014) -+ (allow file-read* -+ (extension "com.apple.cvms.kernel") -+ (prefix "/private/tmp/cvmsCodeSignObj") -+ (subpath "/private/var/db/CVMS"))) -+ -+; Reads from /Library. -+; https://crbug.com/850021 -+(allow file-read-data -+ (subpath "/Library/GPUBundles")) -+ - ; Allow access to the metadata of the /etc symlink. - (allow file-read-metadata (path "/etc")) - ; Allow access to the symlink target as well. -diff --git a/services/service_manager/sandbox/mac/sandbox_mac.mm b/services/service_manager/sandbox/mac/sandbox_mac.mm -index d69fcc0d4c5c2471163280c03a9fd9366e05031d..cdd7b7f6723162d6875c4d11379837708bdde79d 100644 ---- a/services/service_manager/sandbox/mac/sandbox_mac.mm -+++ b/services/service_manager/sandbox/mac/sandbox_mac.mm -@@ -81,6 +81,21 @@ - size_t(SANDBOX_TYPE_AFTER_LAST_TYPE), - "sandbox type to resource id mapping incorrect"); - -+// Produce the OS version as an integer "1010", etc. and pass that to the -+// profile. The profile converts the string back to a number and can do -+// comparison operations on OS version. -+std::string GetOSVersion() { -+ int32_t major_version, minor_version, bugfix_version; -+ base::SysInfo::OperatingSystemVersionNumbers(&major_version, &minor_version, -+ &bugfix_version); -+ base::CheckedNumeric os_version(major_version); -+ os_version *= 100; -+ os_version += minor_version; -+ -+ int32_t final_os_version = os_version.ValueOrDie(); -+ return std::to_string(final_os_version); -+} -+ - } // namespace - - // Static variable declarations. -@@ -242,6 +257,9 @@ - if (!compiler.InsertBooleanParam(kSandboxMacOS1013, macos_1013)) - return false; - -+ if (!compiler.InsertStringParam(kSandboxOSVersion, GetOSVersion())) -+ return false; -+ - if (sandbox_type == service_manager::SANDBOX_TYPE_CDM) { - base::FilePath bundle_path = SandboxMac::GetCanonicalPath( - base::mac::FrameworkBundlePath().DirName());