feat: add app.enableSandbox() (#14999)
This commit is contained in:
Milan Burda
Samuel Attard
parent
cc0c6ad14a
commit
5bd6de52e0
5 changed files with 99 additions and 22 deletions
|
|
@ -1184,6 +1184,33 @@ v8::Local<v8::Promise> App::GetGPUInfo(v8::Isolate* isolate,
|
||||||
return promise->GetHandle();
|
return promise->GetHandle();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void RemoveNoSandboxSwitch(base::CommandLine* command_line) {
|
||||||
|
if (command_line->HasSwitch(service_manager::switches::kNoSandbox)) {
|
||||||
|
const base::CommandLine::CharType* noSandboxArg =
|
||||||
|
FILE_PATH_LITERAL("--no-sandbox");
|
||||||
|
base::CommandLine::StringVector modified_command_line;
|
||||||
|
for (auto& arg : command_line->argv()) {
|
||||||
|
if (arg.compare(noSandboxArg) != 0) {
|
||||||
|
modified_command_line.push_back(arg);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
command_line->InitFromArgv(modified_command_line);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void App::EnableSandbox(mate::Arguments* args) {
|
||||||
|
if (Browser::Get()->is_ready()) {
|
||||||
|
args->ThrowError(
|
||||||
|
"app.enableSandbox() can only be called "
|
||||||
|
"before app is ready");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto* command_line = base::CommandLine::ForCurrentProcess();
|
||||||
|
RemoveNoSandboxSwitch(command_line);
|
||||||
|
command_line->AppendSwitch(switches::kEnableSandbox);
|
||||||
|
}
|
||||||
|
|
||||||
void App::EnableMixedSandbox(mate::Arguments* args) {
|
void App::EnableMixedSandbox(mate::Arguments* args) {
|
||||||
if (Browser::Get()->is_ready()) {
|
if (Browser::Get()->is_ready()) {
|
||||||
args->ThrowError(
|
args->ThrowError(
|
||||||
|
|
@ -1193,22 +1220,7 @@ void App::EnableMixedSandbox(mate::Arguments* args) {
|
||||||
}
|
}
|
||||||
|
|
||||||
auto* command_line = base::CommandLine::ForCurrentProcess();
|
auto* command_line = base::CommandLine::ForCurrentProcess();
|
||||||
if (command_line->HasSwitch(service_manager::switches::kNoSandbox)) {
|
RemoveNoSandboxSwitch(command_line);
|
||||||
#if defined(OS_WIN)
|
|
||||||
const base::CommandLine::CharType* noSandboxArg = L"--no-sandbox";
|
|
||||||
#else
|
|
||||||
const base::CommandLine::CharType* noSandboxArg = "--no-sandbox";
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// Remove the --no-sandbox switch
|
|
||||||
base::CommandLine::StringVector modified_command_line;
|
|
||||||
for (auto& arg : command_line->argv()) {
|
|
||||||
if (arg.compare(noSandboxArg) != 0) {
|
|
||||||
modified_command_line.push_back(arg);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
command_line->InitFromArgv(modified_command_line);
|
|
||||||
}
|
|
||||||
command_line->AppendSwitch(switches::kEnableMixedSandbox);
|
command_line->AppendSwitch(switches::kEnableMixedSandbox);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1316,6 +1328,7 @@ void App::BuildPrototype(v8::Isolate* isolate,
|
||||||
.SetMethod("startAccessingSecurityScopedResource",
|
.SetMethod("startAccessingSecurityScopedResource",
|
||||||
&App::StartAccessingSecurityScopedResource)
|
&App::StartAccessingSecurityScopedResource)
|
||||||
#endif
|
#endif
|
||||||
|
.SetMethod("enableSandbox", &App::EnableSandbox)
|
||||||
.SetMethod("enableMixedSandbox", &App::EnableMixedSandbox);
|
.SetMethod("enableMixedSandbox", &App::EnableMixedSandbox);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -203,6 +203,7 @@ class App : public AtomBrowserClient::Delegate,
|
||||||
v8::Local<v8::Value> GetGPUFeatureStatus(v8::Isolate* isolate);
|
v8::Local<v8::Value> GetGPUFeatureStatus(v8::Isolate* isolate);
|
||||||
v8::Local<v8::Promise> GetGPUInfo(v8::Isolate* isolate,
|
v8::Local<v8::Promise> GetGPUInfo(v8::Isolate* isolate,
|
||||||
const std::string& info_type);
|
const std::string& info_type);
|
||||||
|
void EnableSandbox(mate::Arguments* args);
|
||||||
void EnableMixedSandbox(mate::Arguments* args);
|
void EnableMixedSandbox(mate::Arguments* args);
|
||||||
|
|
||||||
#if defined(OS_MACOSX)
|
#if defined(OS_MACOSX)
|
||||||
|
|
|
||||||
|
|
@ -1089,6 +1089,12 @@ correctly.
|
||||||
|
|
||||||
**Note:** This will not affect `process.argv`.
|
**Note:** This will not affect `process.argv`.
|
||||||
|
|
||||||
|
### `app.enableSandbox()` _Experimental_ _macOS_ _Windows_
|
||||||
|
|
||||||
|
Enables full sandbox mode on the app.
|
||||||
|
|
||||||
|
This method can only be called before app is ready.
|
||||||
|
|
||||||
### `app.enableMixedSandbox()` _Experimental_ _macOS_ _Windows_
|
### `app.enableMixedSandbox()` _Experimental_ _macOS_ _Windows_
|
||||||
|
|
||||||
Enables mixed sandbox mode on the app.
|
Enables mixed sandbox mode on the app.
|
||||||
|
|
|
||||||
|
|
@ -872,7 +872,7 @@ describe('app module', () => {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('mixed sandbox option', () => {
|
describe('sandbox options', () => {
|
||||||
let appProcess = null
|
let appProcess = null
|
||||||
let server = null
|
let server = null
|
||||||
const socketPath = process.platform === 'win32' ? '\\\\.\\pipe\\electron-mixed-sandbox' : '/tmp/electron-mixed-sandbox'
|
const socketPath = process.platform === 'win32' ? '\\\\.\\pipe\\electron-mixed-sandbox' : '/tmp/electron-mixed-sandbox'
|
||||||
|
|
@ -904,10 +904,60 @@ describe('app module', () => {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('when app.enableMixedSandbox() is called', () => {
|
describe('when app.enableSandbox() is called', () => {
|
||||||
it('adds --enable-sandbox to render processes created with sandbox: true', done => {
|
it('adds --enable-sandbox to all renderer processes', done => {
|
||||||
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
||||||
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath])
|
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath, '--app-enable-sandbox'])
|
||||||
|
|
||||||
|
server.once('error', error => { done(error) })
|
||||||
|
|
||||||
|
server.on('connection', client => {
|
||||||
|
client.once('data', data => {
|
||||||
|
const argv = JSON.parse(data)
|
||||||
|
expect(argv.sandbox).to.include('--enable-sandbox')
|
||||||
|
expect(argv.sandbox).to.not.include('--no-sandbox')
|
||||||
|
|
||||||
|
expect(argv.noSandbox).to.include('--enable-sandbox')
|
||||||
|
expect(argv.noSandbox).to.not.include('--no-sandbox')
|
||||||
|
|
||||||
|
expect(argv.noSandboxDevtools).to.be.true()
|
||||||
|
expect(argv.sandboxDevtools).to.be.true()
|
||||||
|
|
||||||
|
done()
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('when the app is launched with --enable-sandbox', () => {
|
||||||
|
it('adds --enable-sandbox to all renderer processes', done => {
|
||||||
|
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
||||||
|
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath, '--enable-sandbox'])
|
||||||
|
|
||||||
|
server.once('error', error => { done(error) })
|
||||||
|
|
||||||
|
server.on('connection', client => {
|
||||||
|
client.once('data', data => {
|
||||||
|
const argv = JSON.parse(data)
|
||||||
|
expect(argv.sandbox).to.include('--enable-sandbox')
|
||||||
|
expect(argv.sandbox).to.not.include('--no-sandbox')
|
||||||
|
|
||||||
|
expect(argv.noSandbox).to.include('--enable-sandbox')
|
||||||
|
expect(argv.noSandbox).to.not.include('--no-sandbox')
|
||||||
|
|
||||||
|
expect(argv.noSandboxDevtools).to.be.true()
|
||||||
|
expect(argv.sandboxDevtools).to.be.true()
|
||||||
|
|
||||||
|
done()
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('when app.enableMixedSandbox() is called', () => {
|
||||||
|
it('adds --enable-sandbox to renderer processes created with sandbox: true', done => {
|
||||||
|
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
||||||
|
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath, '--app-enable-mixed-sandbox'])
|
||||||
|
|
||||||
server.once('error', error => { done(error) })
|
server.once('error', error => { done(error) })
|
||||||
|
|
||||||
|
|
@ -920,6 +970,9 @@ describe('app module', () => {
|
||||||
expect(argv.noSandbox).to.not.include('--enable-sandbox')
|
expect(argv.noSandbox).to.not.include('--enable-sandbox')
|
||||||
expect(argv.noSandbox).to.include('--no-sandbox')
|
expect(argv.noSandbox).to.include('--no-sandbox')
|
||||||
|
|
||||||
|
expect(argv.noSandboxDevtools).to.be.true()
|
||||||
|
expect(argv.sandboxDevtools).to.be.true()
|
||||||
|
|
||||||
done()
|
done()
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
@ -927,7 +980,7 @@ describe('app module', () => {
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('when the app is launched with --enable-mixed-sandbox', () => {
|
describe('when the app is launched with --enable-mixed-sandbox', () => {
|
||||||
it('adds --enable-sandbox to render processes created with sandbox: true', done => {
|
it('adds --enable-sandbox to renderer processes created with sandbox: true', done => {
|
||||||
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
const appPath = path.join(__dirname, 'fixtures', 'api', 'mixed-sandbox-app')
|
||||||
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath, '--enable-mixed-sandbox'])
|
appProcess = ChildProcess.spawn(remote.process.execPath, [appPath, '--enable-mixed-sandbox'])
|
||||||
|
|
||||||
|
|
|
||||||
6
spec/fixtures/api/mixed-sandbox-app/main.js
vendored
6
spec/fixtures/api/mixed-sandbox-app/main.js
vendored
|
|
@ -6,7 +6,11 @@ process.on('uncaughtException', () => {
|
||||||
app.exit(1)
|
app.exit(1)
|
||||||
})
|
})
|
||||||
|
|
||||||
if (!process.argv.includes('--enable-mixed-sandbox')) {
|
if (process.argv.includes('--app-enable-sandbox')) {
|
||||||
|
app.enableSandbox()
|
||||||
|
}
|
||||||
|
|
||||||
|
if (process.argv.includes('--app-enable-mixed-sandbox')) {
|
||||||
app.enableMixedSandbox()
|
app.enableMixedSandbox()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue