chore: enable v2 sandbox on mac (#15647)

2018-12-12 16:01:10 -08:00 · 2018-12-12 16:01:10 -08:00 · 4250f84272
commit 4250f84272
parent f7528a0204
5 changed files with 43 additions and 98 deletions
--- a/atom/app/atom_main.cc
+++ b/atom/app/atom_main.cc
@ -5,6 +5,7 @@
 #include "atom/app/atom_main.h"

 #include <cstdlib>
+#include <memory>
 #include <vector>

 #if defined(OS_WIN)
@ -30,6 +31,7 @@
 #include "atom/app/atom_main_delegate.h"  // NOLINT
 #include "content/public/app/content_main.h"
 #else  // defined(OS_LINUX)
+#include <mach-o/dyld.h>
 #include <unistd.h>
 #include <cstdio>
 #include "atom/app/atom_library_main.h"
@ -41,6 +43,10 @@
 #include "base/i18n/icu_util.h"
 #include "electron/buildflags/buildflags.h"

+#if defined(HELPER_EXECUTABLE)
+#include "sandbox/mac/seatbelt_exec.h"  // nogncheck
+#endif                                  // defined(HELPER_EXECUTABLE)
+
 namespace {

 #if BUILDFLAG(ENABLE_RUN_AS_NODE)
@ -207,6 +213,35 @@ int main(int argc, char* argv[]) {
  }
 #endif

+#if defined(HELPER_EXECUTABLE)
+  uint32_t exec_path_size = 0;
+  int rv = _NSGetExecutablePath(NULL, &exec_path_size);
+  if (rv != -1) {
+    fprintf(stderr, "_NSGetExecutablePath: get length failed\n");
+    abort();
+  }
+
+  std::unique_ptr<char[]> exec_path(new char[exec_path_size]);
+  rv = _NSGetExecutablePath(exec_path.get(), &exec_path_size);
+  if (rv != 0) {
+    fprintf(stderr, "_NSGetExecutablePath: get path failed\n");
+    abort();
+  }
+  sandbox::SeatbeltExecServer::CreateFromArgumentsResult seatbelt =
+      sandbox::SeatbeltExecServer::CreateFromArguments(exec_path.get(), argc,
+                                                       argv);
+  if (seatbelt.sandbox_required) {
+    if (!seatbelt.server) {
+      fprintf(stderr, "Failed to create seatbelt sandbox server.\n");
+      abort();
+    }
+    if (!seatbelt.server->InitializeSandbox()) {
+      fprintf(stderr, "Failed to initialize sandbox.\n");
+      abort();
+    }
+  }
+#endif
+
  return AtomMain(argc, argv);
 }

--- a/atom/browser/atom_browser_main_parts.cc
+++ b/atom/browser/atom_browser_main_parts.cc
@ -198,13 +198,6 @@ void AtomBrowserMainParts::InitializeFeatureList() {
      cmd_line->GetSwitchValueASCII(::switches::kEnableFeatures);
  auto disable_features =
      cmd_line->GetSwitchValueASCII(::switches::kDisableFeatures);
-#if defined(OS_MACOSX)
-  // Disable the V2 sandbox on macOS.
-  // Chromium is going to use the system sandbox API of macOS for the sandbox
-  // implmentation, we may have to deprecate --mixed-sandbox for macOS once
-  // Chromium drops support for the old sandbox implmentation.
-  disable_features += std::string(",") + features::kMacV2Sandbox.name;
-#endif
  // Disable creation of spare renderer process with site-per-process mode,
  // it interferes with our process preference tracking for non sandboxed mode.
  // Can be reenabled when our site instance policy is aligned with chromium