refactor: Convert ProcessSingleton changes to patch (#30594)

* Convert ProcessSingleton changes to patch

* Update patch

* Polish

* Add sandbox check to patch

* Add missing includes

* Fix linking error

* Fix compile error

* Apply PR feedback

* Fix compile fails

* Fix tests

* Remove extra patch

* Update test

chromium_src/BUILD.gn

@@ -47,6 +47,7 @@ static_library("chrome") {
     "//chrome/browser/predictors/proxy_lookup_client_impl.h",
     "//chrome/browser/predictors/resolve_host_client_impl.cc",
     "//chrome/browser/predictors/resolve_host_client_impl.h",
+    "//chrome/browser/process_singleton.h",
     "//chrome/browser/ui/views/autofill/autofill_popup_view_utils.cc",
     "//chrome/browser/ui/views/autofill/autofill_popup_view_utils.h",
     "//chrome/browser/ui/views/eye_dropper/eye_dropper.cc",
@@ -57,6 +58,10 @@ static_library("chrome") {
     "//extensions/browser/app_window/size_constraints.h",
   ]
 
+  if (is_posix) {
+    sources += [ "//chrome/browser/process_singleton_posix.cc" ]
+  }
+
   if (is_mac) {
     sources += [
       "//chrome/browser/extensions/global_shortcut_listener_mac.h",
@@ -65,6 +70,7 @@ static_library("chrome") {
       "//chrome/browser/media/webrtc/system_media_capture_permissions_mac.h",
       "//chrome/browser/media/webrtc/system_media_capture_permissions_mac.mm",
       "//chrome/browser/media/webrtc/window_icon_util_mac.mm",
+      "//chrome/browser/process_singleton_mac.mm",
       "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.h",
       "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.mm",
     ]
@@ -76,6 +82,7 @@ static_library("chrome") {
       "//chrome/browser/extensions/global_shortcut_listener_win.h",
       "//chrome/browser/icon_loader_win.cc",
       "//chrome/browser/media/webrtc/window_icon_util_win.cc",
+      "//chrome/browser/process_singleton_win.cc",
       "//chrome/browser/ui/frame/window_frame_util.h",
       "//chrome/browser/ui/view_ids.h",
       "//chrome/browser/win/chrome_process_finder.cc",

chromium_src/chrome/browser/process_singleton.h

@@ -1,185 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef CHROME_BROWSER_PROCESS_SINGLETON_H_
-#define CHROME_BROWSER_PROCESS_SINGLETON_H_
-
-#if defined(OS_WIN)
-#include <windows.h>
-#endif  // defined(OS_WIN)
-
-#include "base/callback.h"
-#include "base/command_line.h"
-#include "base/files/file_path.h"
-#include "base/logging.h"
-#include "base/memory/ref_counted.h"
-#include "base/process/process.h"
-#include "base/sequence_checker.h"
-#include "ui/gfx/native_widget_types.h"
-
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
-#include "base/files/scoped_temp_dir.h"
-#endif
-
-#if defined(OS_WIN)
-#include "base/win/message_window.h"
-#endif  // defined(OS_WIN)
-
-namespace base {
-class CommandLine;
-}
-
-// ProcessSingleton ----------------------------------------------------------
-//
-// This class allows different browser processes to communicate with
-// each other.  It is named according to the user data directory, so
-// we can be sure that no more than one copy of the application can be
-// running at once with a given data directory.
-//
-// Implementation notes:
-// - the Windows implementation uses an invisible global message window;
-// - the Linux implementation uses a Unix domain socket in the user data dir.
-
-class ProcessSingleton {
- public:
-  enum NotifyResult {
-    PROCESS_NONE,
-    PROCESS_NOTIFIED,
-    PROFILE_IN_USE,
-    LOCK_ERROR,
-  };
-
-  // Implement this callback to handle notifications from other processes. The
-  // callback will receive the command line and directory with which the other
-  // Chrome process was launched. Return true if the command line will be
-  // handled within the current browser instance or false if the remote process
-  // should handle it (i.e., because the current process is shutting down).
-  using NotificationCallback = base::RepeatingCallback<bool(
-      const base::CommandLine::StringVector& command_line,
-      const base::FilePath& current_directory)>;
-
-  ProcessSingleton(const base::FilePath& user_data_dir,
-                   const NotificationCallback& notification_callback);
-  ~ProcessSingleton();
-
-  // Notify another process, if available. Otherwise sets ourselves as the
-  // singleton instance. Returns PROCESS_NONE if we became the singleton
-  // instance. Callers are guaranteed to either have notified an existing
-  // process or have grabbed the singleton (unless the profile is locked by an
-  // unreachable process).
-  // TODO(brettw): Make the implementation of this method non-platform-specific
-  // by making Linux re-use the Windows implementation.
-  NotifyResult NotifyOtherProcessOrCreate();
-  void StartListeningOnSocket();
-  void OnBrowserReady();
-
-  // Sets ourself up as the singleton instance.  Returns true on success.  If
-  // false is returned, we are not the singleton instance and the caller must
-  // exit.
-  // NOTE: Most callers should generally prefer NotifyOtherProcessOrCreate() to
-  // this method, only callers for whom failure is preferred to notifying
-  // another process should call this directly.
-  bool Create();
-
-  // Clear any lock state during shutdown.
-  void Cleanup();
-
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
-  static void DisablePromptForTesting();
-#endif
-#if defined(OS_WIN)
-  // Called to query whether to kill a hung browser process that has visible
-  // windows. Return true to allow killing the hung process.
-  using ShouldKillRemoteProcessCallback = base::RepeatingCallback<bool()>;
-  void OverrideShouldKillRemoteProcessCallbackForTesting(
-      const ShouldKillRemoteProcessCallback& display_dialog_callback);
-#endif
-
- protected:
-  // Notify another process, if available.
-  // Returns true if another process was found and notified, false if we should
-  // continue with the current process.
-  // On Windows, Create() has to be called before this.
-  NotifyResult NotifyOtherProcess();
-
-#if defined(OS_POSIX) && !defined(OS_ANDROID)
-  // Exposed for testing.  We use a timeout on Linux, and in tests we want
-  // this timeout to be short.
-  NotifyResult NotifyOtherProcessWithTimeout(
-      const base::CommandLine& command_line,
-      int retry_attempts,
-      const base::TimeDelta& timeout,
-      bool kill_unresponsive);
-  NotifyResult NotifyOtherProcessWithTimeoutOrCreate(
-      const base::CommandLine& command_line,
-      int retry_attempts,
-      const base::TimeDelta& timeout);
-  void OverrideCurrentPidForTesting(base::ProcessId pid);
-  void OverrideKillCallbackForTesting(
-      const base::RepeatingCallback<void(int)>& callback);
-#endif
-
- private:
-  NotificationCallback notification_callback_;  // Handler for notifications.
-
-#if defined(OS_WIN)
-  HWND remote_window_ = nullptr;     // The HWND_MESSAGE of another browser.
-  base::win::MessageWindow window_;  // The message-only window.
-  bool is_virtualized_ =
-      false;  // Stuck inside Microsoft Softricity VM environment.
-  HANDLE lock_file_ = INVALID_HANDLE_VALUE;
-  base::FilePath user_data_dir_;
-  ShouldKillRemoteProcessCallback should_kill_remote_process_callback_;
-#elif defined(OS_POSIX) && !defined(OS_ANDROID)
-  // Start listening to the socket.
-  void StartListening(int sock);
-
-  // Return true if the given pid is one of our child processes.
-  // Assumes that the current pid is the root of all pids of the current
-  // instance.
-  bool IsSameChromeInstance(pid_t pid);
-
-  // Extract the process's pid from a symbol link path and if it is on
-  // the same host, kill the process, unlink the lock file and return true.
-  // If the process is part of the same chrome instance, unlink the lock file
-  // and return true without killing it.
-  // If the process is on a different host, return false.
-  bool KillProcessByLockPath();
-
-  // Default function to kill a process, overridable by tests.
-  void KillProcess(int pid);
-
-  // Allow overriding for tests.
-  base::ProcessId current_pid_;
-
-  // Function to call when the other process is hung and needs to be killed.
-  // Allows overriding for tests.
-  base::RepeatingCallback<void(int)> kill_callback_;
-
-  // Path in file system to the socket.
-  base::FilePath socket_path_;
-
-  // Path in file system to the lock.
-  base::FilePath lock_path_;
-
-  // Path in file system to the cookie file.
-  base::FilePath cookie_path_;
-
-  // Temporary directory to hold the socket.
-  base::ScopedTempDir socket_dir_;
-
-  // Helper class for linux specific messages.  LinuxWatcher is ref counted
-  // because it posts messages between threads.
-  class LinuxWatcher;
-  scoped_refptr<LinuxWatcher> watcher_;
-  int sock_ = -1;
-  bool listen_on_ready_ = false;
-#endif
-
-  SEQUENCE_CHECKER(sequence_checker_);
-
-  DISALLOW_COPY_AND_ASSIGN(ProcessSingleton);
-};
-
-#endif  // CHROME_BROWSER_PROCESS_SINGLETON_H_

chromium_src/chrome/browser/process_singleton_win.cc

@@ -1,315 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/browser/process_singleton.h"
-
-#include <windows.h>
-#include <shellapi.h>
-
-#include "base/base_paths.h"
-#include "base/bind.h"
-#include "base/command_line.h"
-#include "base/files/file_path.h"
-#include "base/files/file_util.h"
-#include "base/process/process.h"
-#include "base/process/process_info.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/stringprintf.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/time/time.h"
-#include "base/win/registry.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "chrome/browser/win/chrome_process_finder.h"
-#include "content/public/common/result_codes.h"
-#include "net/base/escape.h"
-#include "ui/gfx/win/hwnd_util.h"
-
-namespace {
-
-const char kLockfile[] = "lockfile";
-
-// A helper class that acquires the given |mutex| while the AutoLockMutex is in
-// scope.
-class AutoLockMutex {
- public:
-  explicit AutoLockMutex(HANDLE mutex) : mutex_(mutex) {
-    DWORD result = ::WaitForSingleObject(mutex_, INFINITE);
-    DPCHECK(result == WAIT_OBJECT_0) << "Result = " << result;
-  }
-
-  ~AutoLockMutex() {
-    BOOL released = ::ReleaseMutex(mutex_);
-    DPCHECK(released);
-  }
-
- private:
-  HANDLE mutex_;
-  DISALLOW_COPY_AND_ASSIGN(AutoLockMutex);
-};
-
-// A helper class that releases the given |mutex| while the AutoUnlockMutex is
-// in scope and immediately re-acquires it when going out of scope.
-class AutoUnlockMutex {
- public:
-  explicit AutoUnlockMutex(HANDLE mutex) : mutex_(mutex) {
-    BOOL released = ::ReleaseMutex(mutex_);
-    DPCHECK(released);
-  }
-
-  ~AutoUnlockMutex() {
-    DWORD result = ::WaitForSingleObject(mutex_, INFINITE);
-    DPCHECK(result == WAIT_OBJECT_0) << "Result = " << result;
-  }
-
- private:
-  HANDLE mutex_;
-  DISALLOW_COPY_AND_ASSIGN(AutoUnlockMutex);
-};
-
-// Checks the visibility of the enumerated window and signals once a visible
-// window has been found.
-BOOL CALLBACK BrowserWindowEnumeration(HWND window, LPARAM param) {
-  bool* result = reinterpret_cast<bool*>(param);
-  *result = ::IsWindowVisible(window) != 0;
-  // Stops enumeration if a visible window has been found.
-  return !*result;
-}
-
-bool ParseCommandLine(const COPYDATASTRUCT* cds,
-                      base::CommandLine::StringVector* parsed_command_line,
-                      base::FilePath* current_directory) {
-  // We should have enough room for the shortest command (min_message_size)
-  // and also be a multiple of wchar_t bytes. The shortest command
-  // possible is L"START\0\0" (empty current directory and command line).
-  static const int min_message_size = 7;
-  if (cds->cbData < min_message_size * sizeof(wchar_t) ||
-      cds->cbData % sizeof(wchar_t) != 0) {
-    LOG(WARNING) << "Invalid WM_COPYDATA, length = " << cds->cbData;
-    return false;
-  }
-
-  // We split the string into 4 parts on NULLs.
-  DCHECK(cds->lpData);
-  const std::wstring msg(static_cast<wchar_t*>(cds->lpData),
-                         cds->cbData / sizeof(wchar_t));
-  const std::wstring::size_type first_null = msg.find_first_of(L'\0');
-  if (first_null == 0 || first_null == std::wstring::npos) {
-    // no NULL byte, don't know what to do
-    LOG(WARNING) << "Invalid WM_COPYDATA, length = " << msg.length()
-                 << ", first null = " << first_null;
-    return false;
-  }
-
-  // Decode the command, which is everything until the first NULL.
-  if (msg.substr(0, first_null) == L"START") {
-    // Another instance is starting parse the command line & do what it would
-    // have done.
-    VLOG(1) << "Handling STARTUP request from another process";
-    const std::wstring::size_type second_null =
-        msg.find_first_of(L'\0', first_null + 1);
-    if (second_null == std::wstring::npos || first_null == msg.length() - 1 ||
-        second_null == msg.length()) {
-      LOG(WARNING) << "Invalid format for start command, we need a string in 4 "
-                      "parts separated by NULLs";
-      return false;
-    }
-
-    // Get current directory.
-    *current_directory =
-        base::FilePath(msg.substr(first_null + 1, second_null - first_null));
-
-    const std::wstring::size_type third_null =
-        msg.find_first_of(L'\0', second_null + 1);
-    if (third_null == std::wstring::npos || third_null == msg.length()) {
-      LOG(WARNING) << "Invalid format for start command, we need a string in 4 "
-                      "parts separated by NULLs";
-    }
-
-    // Get command line.
-    const std::wstring cmd_line =
-        msg.substr(second_null + 1, third_null - second_null);
-    *parsed_command_line = base::CommandLine::FromString(cmd_line).argv();
-    return true;
-  }
-  return false;
-}
-
-bool ProcessLaunchNotification(
-    const ProcessSingleton::NotificationCallback& notification_callback,
-    UINT message,
-    WPARAM wparam,
-    LPARAM lparam,
-    LRESULT* result) {
-  if (message != WM_COPYDATA)
-    return false;
-
-  // Handle the WM_COPYDATA message from another process.
-  const COPYDATASTRUCT* cds = reinterpret_cast<COPYDATASTRUCT*>(lparam);
-
-  base::CommandLine::StringVector parsed_command_line;
-  base::FilePath current_directory;
-  if (!ParseCommandLine(cds, &parsed_command_line, &current_directory)) {
-    *result = TRUE;
-    return true;
-  }
-
-  *result = notification_callback.Run(parsed_command_line, current_directory)
-                ? TRUE
-                : FALSE;
-  return true;
-}
-
-bool TerminateAppWithError() {
-  // TODO: This is called when the secondary process can't ping the primary
-  // process. Need to find out what to do here.
-  return false;
-}
-
-}  // namespace
-
-ProcessSingleton::ProcessSingleton(
-    const base::FilePath& user_data_dir,
-    const NotificationCallback& notification_callback)
-    : notification_callback_(notification_callback),
-      user_data_dir_(user_data_dir),
-      should_kill_remote_process_callback_(
-          base::BindRepeating(&TerminateAppWithError)) {
-  // The user_data_dir may have not been created yet.
-  base::CreateDirectoryAndGetError(user_data_dir, nullptr);
-}
-
-ProcessSingleton::~ProcessSingleton() {
-  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
-  if (lock_file_ != INVALID_HANDLE_VALUE)
-    ::CloseHandle(lock_file_);
-}
-
-// Code roughly based on Mozilla.
-ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
-  if (is_virtualized_)
-    return PROCESS_NOTIFIED;  // We already spawned the process in this case.
-  if (lock_file_ == INVALID_HANDLE_VALUE && !remote_window_) {
-    return LOCK_ERROR;
-  } else if (!remote_window_) {
-    return PROCESS_NONE;
-  }
-
-  switch (chrome::AttemptToNotifyRunningChrome(remote_window_)) {
-    case chrome::NOTIFY_SUCCESS:
-      return PROCESS_NOTIFIED;
-    case chrome::NOTIFY_FAILED:
-      remote_window_ = NULL;
-      return PROCESS_NONE;
-    case chrome::NOTIFY_WINDOW_HUNG:
-      // Fall through and potentially terminate the hung browser.
-      break;
-  }
-
-  DWORD process_id = 0;
-  DWORD thread_id = ::GetWindowThreadProcessId(remote_window_, &process_id);
-  if (!thread_id || !process_id) {
-    remote_window_ = NULL;
-    return PROCESS_NONE;
-  }
-  base::Process process = base::Process::Open(process_id);
-
-  // The window is hung. Scan for every window to find a visible one.
-  bool visible_window = false;
-  ::EnumThreadWindows(thread_id, &BrowserWindowEnumeration,
-                      reinterpret_cast<LPARAM>(&visible_window));
-
-  // If there is a visible browser window, ask the user before killing it.
-  if (visible_window && !should_kill_remote_process_callback_.Run()) {
-    // The user denied. Quit silently.
-    return PROCESS_NOTIFIED;
-  }
-
-  // Time to take action. Kill the browser process.
-  process.Terminate(content::RESULT_CODE_HUNG, true);
-  remote_window_ = NULL;
-  return PROCESS_NONE;
-}
-
-ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessOrCreate() {
-  ProcessSingleton::NotifyResult result = PROCESS_NONE;
-  if (!Create()) {
-    result = NotifyOtherProcess();
-    if (result == PROCESS_NONE)
-      result = PROFILE_IN_USE;
-  }
-  return result;
-}
-
-void ProcessSingleton::StartListeningOnSocket() {}
-void ProcessSingleton::OnBrowserReady() {}
-
-// Look for a Chrome instance that uses the same profile directory. If there
-// isn't one, create a message window with its title set to the profile
-// directory path.
-bool ProcessSingleton::Create() {
-  static const wchar_t kMutexName[] = L"Local\\AtomProcessSingletonStartup!";
-
-  remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
-  if (!remote_window_) {
-    // Make sure we will be the one and only process creating the window.
-    // We use a named Mutex since we are protecting against multi-process
-    // access. As documented, it's clearer to NOT request ownership on creation
-    // since it isn't guaranteed we will get it. It is better to create it
-    // without ownership and explicitly get the ownership afterward.
-    base::win::ScopedHandle only_me(::CreateMutex(NULL, FALSE, kMutexName));
-    if (!only_me.IsValid()) {
-      DPLOG(FATAL) << "CreateMutex failed";
-      return false;
-    }
-
-    AutoLockMutex auto_lock_only_me(only_me.Get());
-
-    // We now own the mutex so we are the only process that can create the
-    // window at this time, but we must still check if someone created it
-    // between the time where we looked for it above and the time the mutex
-    // was given to us.
-    remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
-    if (!remote_window_) {
-      // We have to make sure there is no Chrome instance running on another
-      // machine that uses the same profile.
-      base::FilePath lock_file_path = user_data_dir_.AppendASCII(kLockfile);
-      lock_file_ =
-          ::CreateFile(lock_file_path.value().c_str(), GENERIC_WRITE,
-                       FILE_SHARE_READ, NULL, CREATE_ALWAYS,
-                       FILE_ATTRIBUTE_NORMAL | FILE_FLAG_DELETE_ON_CLOSE, NULL);
-      DWORD error = ::GetLastError();
-      LOG_IF(WARNING, lock_file_ != INVALID_HANDLE_VALUE &&
-                          error == ERROR_ALREADY_EXISTS)
-          << "Lock file exists but is writable.";
-      LOG_IF(ERROR, lock_file_ == INVALID_HANDLE_VALUE)
-          << "Lock file can not be created! Error code: " << error;
-
-      if (lock_file_ != INVALID_HANDLE_VALUE) {
-        // Set the window's title to the path of our user data directory so
-        // other Chrome instances can decide if they should forward to us.
-        bool result =
-            window_.CreateNamed(base::BindRepeating(&ProcessLaunchNotification,
-                                                    notification_callback_),
-                                user_data_dir_.value());
-
-        // NB: Ensure that if the primary app gets started as elevated
-        // admin inadvertently, secondary windows running not as elevated
-        // will still be able to send messages
-        ::ChangeWindowMessageFilterEx(window_.hwnd(), WM_COPYDATA, MSGFLT_ALLOW,
-                                      NULL);
-        CHECK(result && window_.hwnd());
-      }
-    }
-  }
-
-  return window_.hwnd() != NULL;
-}
-
-void ProcessSingleton::Cleanup() {}
-
-void ProcessSingleton::OverrideShouldKillRemoteProcessCallbackForTesting(
-    const ShouldKillRemoteProcessCallback& display_dialog_callback) {
-  should_kill_remote_process_callback_ = display_dialog_callback;
-}

filenames.gni

@@ -56,13 +56,9 @@ filenames = {
     "shell/browser/ui/x/x_window_utils.h",
   ]
 
-  lib_sources_posix = [
+  lib_sources_posix = [ "shell/browser/electron_browser_main_parts_posix.cc" ]
-    "chromium_src/chrome/browser/process_singleton_posix.cc",
-    "shell/browser/electron_browser_main_parts_posix.cc",
-  ]
 
   lib_sources_win = [
-    "chromium_src/chrome/browser/process_singleton_win.cc",
     "shell/browser/api/electron_api_power_monitor_win.cc",
     "shell/browser/api/electron_api_system_preferences_win.cc",
     "shell/browser/browser_win.cc",
@@ -236,7 +232,6 @@ filenames = {
   ]
 
   lib_sources = [
-    "chromium_src/chrome/browser/process_singleton.h",
     "shell/app/command_line_args.cc",
     "shell/app/command_line_args.h",
     "shell/app/electron_content_client.cc",

patches/chromium/.patches

@@ -107,3 +107,4 @@ fix_media_key_usage_with_globalshortcuts.patch
 feat_expose_raw_response_headers_from_urlloader.patch
 chore_do_not_use_chrome_windows_in_cryptotoken_webrequestsender.patch
 fix_chrome_root_store_codegen_for_cross-compile_builds.patch
+process_singleton.patch

patches/chromium/process_singleton.patch

@@ -0,0 +1,307 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raymond Zhao <raymondzhao@microsoft.com>
+Date: Wed, 18 Aug 2021 08:24:10 -0700
+Subject: Convert Electron ProcessSingleton changes to patch
+
+This patch applies Electron ProcessSingleton changes
+onto the Chromium files, so that Electron doesn't need to maintain
+separate copies of those files.
+
+This patch adds a few changes to the Chromium code:
+1. It adds a parameter `program_name` to the Windows constructor, making
+   the generated mutex name on the Windows-side program-dependent,
+   rather than shared between all Electron applications.
+2. It adds an `IsAppSandboxed` check for macOS so that
+   sandboxed applications generate shorter temp paths.
+3. It adds a `ChangeWindowMessageFilterEx` call to the Windows
+   implementation, along with a parameter `is_app_sandboxed` in the
+   constructor, to handle the case when the primary app is run with
+   admin permissions.
+4. It adds an `OnBrowserReady` function to allow
+   `requestSingleInstanceLock` to start listening to the socket later
+   in the posix implementation. This function is necessary, because
+   otherwise, users calling `requestSingleInstanceLock` create a
+   `ProcessSingleton` instance that tries to connect to the socket
+   before the browser thread is ready.
+
+diff --git a/chrome/browser/process_singleton.h b/chrome/browser/process_singleton.h
+index 0291db0f919aa7868d345f4f0712c42c6ad7ee17..9418bbacb11094628c4468d0a7b735a0f742e5f2 100644
+--- a/chrome/browser/process_singleton.h
++++ b/chrome/browser/process_singleton.h
+@@ -103,8 +103,15 @@ class ProcessSingleton {
+       base::RepeatingCallback<bool(const base::CommandLine& command_line,
+                                    const base::FilePath& current_directory)>;
+ 
++#if defined(OS_WIN)
++  ProcessSingleton(const std::string& program_name,
++                   const base::FilePath& user_data_dir,
++                   bool is_sandboxed,
++                   const NotificationCallback& notification_callback);
++#else
+   ProcessSingleton(const base::FilePath& user_data_dir,
+                    const NotificationCallback& notification_callback);
++#endif
+   ~ProcessSingleton();
+ 
+   // Notify another process, if available. Otherwise sets ourselves as the
+@@ -115,6 +122,8 @@ class ProcessSingleton {
+   // TODO(brettw): Make the implementation of this method non-platform-specific
+   // by making Linux re-use the Windows implementation.
+   NotifyResult NotifyOtherProcessOrCreate();
++  void StartListeningOnSocket();
++  void OnBrowserReady();
+ 
+   // Sets ourself up as the singleton instance.  Returns true on success.  If
+   // false is returned, we are not the singleton instance and the caller must
+@@ -170,6 +179,8 @@ class ProcessSingleton {
+ #if defined(OS_WIN)
+   bool EscapeVirtualization(const base::FilePath& user_data_dir);
+ 
++  std::string program_name_; // Used for mutexName.
++  bool is_app_sandboxed_; // Whether the Electron app is sandboxed.
+   HWND remote_window_;  // The HWND_MESSAGE of another browser.
+   base::win::MessageWindow window_;  // The message-only window.
+   bool is_virtualized_;  // Stuck inside Microsoft Softricity VM environment.
+@@ -219,6 +230,8 @@ class ProcessSingleton {
+   // because it posts messages between threads.
+   class LinuxWatcher;
+   scoped_refptr<LinuxWatcher> watcher_;
++  int sock_ = -1;
++  bool listen_on_ready_ = false;
+ #endif
+ 
+ #if defined(OS_MAC)
+diff --git a/chrome/browser/process_singleton_posix.cc b/chrome/browser/process_singleton_posix.cc
+index dc9c1b76a1c7c8b3fa83fc83788eef36d2cfa4a5..31b387ca3cae53c94d8a7baefaeb17f3dbffe5e0 100644
+--- a/chrome/browser/process_singleton_posix.cc
++++ b/chrome/browser/process_singleton_posix.cc
+@@ -80,6 +80,7 @@
+ #include "base/strings/stringprintf.h"
+ #include "base/strings/sys_string_conversions.h"
+ #include "base/strings/utf_string_conversions.h"
++#include "base/task/post_task.h"
+ #include "base/threading/platform_thread.h"
+ #include "base/threading/thread_task_runner_handle.h"
+ #include "base/time/time.h"
+@@ -95,9 +96,11 @@
+ #include "net/base/network_interfaces.h"
+ #include "ui/base/l10n/l10n_util.h"
+ 
++#if 0
+ #if defined(OS_LINUX) || defined(OS_CHROMEOS)
+ #include "chrome/browser/ui/process_singleton_dialog_linux.h"
+ #endif
++#endif
+ 
+ #if defined(TOOLKIT_VIEWS) && \
+     (defined(OS_LINUX) || BUILDFLAG(IS_CHROMEOS_LACROS))
+@@ -289,6 +292,9 @@ bool SymlinkPath(const base::FilePath& target, const base::FilePath& path) {
+ bool DisplayProfileInUseError(const base::FilePath& lock_path,
+                               const std::string& hostname,
+                               int pid) {
++  return true;
++
++#if 0
+   std::u16string error = l10n_util::GetStringFUTF16(
+       IDS_PROFILE_IN_USE_POSIX, base::NumberToString16(pid),
+       base::ASCIIToUTF16(hostname));
+@@ -308,6 +314,7 @@ bool DisplayProfileInUseError(const base::FilePath& lock_path,
+ 
+   NOTREACHED();
+   return false;
++#endif
+ }
+ 
+ bool IsChromeProcess(pid_t pid) {
+@@ -348,6 +355,21 @@ bool CheckCookie(const base::FilePath& path, const base::FilePath& cookie) {
+   return (cookie == ReadLink(path));
+ }
+ 
++bool IsAppSandboxed() {
++#if defined(OS_MAC)
++  // NB: There is no sane API for this, we have to just guess by
++  // reading tea leaves
++  base::FilePath home_dir;
++  if (!base::PathService::Get(base::DIR_HOME, &home_dir)) {
++    return false;
++  }
++
++  return home_dir.value().find("Library/Containers") != std::string::npos;
++#else
++  return false;
++#endif  // defined(OS_MAC)
++}
++
+ bool ConnectSocket(ScopedSocket* socket,
+                    const base::FilePath& socket_path,
+                    const base::FilePath& cookie_path) {
+@@ -727,6 +749,10 @@ ProcessSingleton::ProcessSingleton(
+ 
+ ProcessSingleton::~ProcessSingleton() {
+   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
++  // Manually free resources with IO explicitly allowed.
++  base::ThreadRestrictions::ScopedAllowIO allow_io;
++  watcher_ = nullptr;
++  ignore_result(socket_dir_.Delete());
+ }
+ 
+ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
+@@ -895,6 +921,20 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessOrCreate() {
+       base::TimeDelta::FromSeconds(kTimeoutInSeconds));
+ }
+ 
++void ProcessSingleton::StartListeningOnSocket() {
++  watcher_ = base::MakeRefCounted<LinuxWatcher>(this);
++  base::PostTask(FROM_HERE, {BrowserThread::IO},
++                 base::BindOnce(&ProcessSingleton::LinuxWatcher::StartListening,
++                                watcher_, sock_));
++}
++
++void ProcessSingleton::OnBrowserReady() {
++  if (listen_on_ready_) {
++    StartListeningOnSocket();
++    listen_on_ready_ = false;
++  }
++}
++
+ ProcessSingleton::NotifyResult
+ ProcessSingleton::NotifyOtherProcessWithTimeoutOrCreate(
+     const base::CommandLine& command_line,
+@@ -997,12 +1037,26 @@ bool ProcessSingleton::Create() {
+ #endif
+   }
+ 
+-  // Create the socket file somewhere in /tmp which is usually mounted as a
+-  // normal filesystem. Some network filesystems (notably AFS) are screwy and
+-  // do not support Unix domain sockets.
+-  if (!socket_dir_.CreateUniqueTempDir()) {
+-    LOG(ERROR) << "Failed to create socket directory.";
+-    return false;
++  if (IsAppSandboxed()) {
++    // For sandboxed applications, the tmp dir could be too long to fit
++    // addr->sun_path, so we need to make it as short as possible.
++    base::FilePath tmp_dir;
++    if (!base::GetTempDir(&tmp_dir)) {
++      LOG(ERROR) << "Failed to get temporary directory.";
++      return false;
++    }
++    if (!socket_dir_.Set(tmp_dir.Append("S"))) {
++      LOG(ERROR) << "Failed to set socket directory.";
++      return false;
++    }
++  } else {
++    // Create the socket file somewhere in /tmp which is usually mounted as a
++    // normal filesystem. Some network filesystems (notably AFS) are screwy and
++    // do not support Unix domain sockets.
++    if (!socket_dir_.CreateUniqueTempDir()) {
++      LOG(ERROR) << "Failed to create socket directory.";
++      return false;
++    }
+   }
+ 
+   // Check that the directory was created with the correct permissions.
+@@ -1044,10 +1098,13 @@ bool ProcessSingleton::Create() {
+   if (listen(sock, 5) < 0)
+     NOTREACHED() << "listen failed: " << base::safe_strerror(errno);
+ 
+-  DCHECK(BrowserThread::IsThreadInitialized(BrowserThread::IO));
+-  content::GetIOThreadTaskRunner({})->PostTask(
+-      FROM_HERE, base::BindOnce(&ProcessSingleton::LinuxWatcher::StartListening,
+-                                watcher_, sock));
++  sock_ = sock;
++
++  if (BrowserThread::IsThreadInitialized(BrowserThread::IO)) {
++    StartListeningOnSocket();
++  } else {
++    listen_on_ready_ = true;
++  }
+ 
+   return true;
+ }
+diff --git a/chrome/browser/process_singleton_win.cc b/chrome/browser/process_singleton_win.cc
+index f1732f042c3bfd9d5d95a4208664f9252b2aab73..875269776e45c96ac43a3430768f1406c9608dd3 100644
+--- a/chrome/browser/process_singleton_win.cc
++++ b/chrome/browser/process_singleton_win.cc
+@@ -27,7 +27,9 @@
+ #include "base/win/windows_version.h"
+ #include "base/win/wmi.h"
+ #include "chrome/browser/shell_integration.h"
++#if 0
+ #include "chrome/browser/ui/simple_message_box.h"
++#endif
+ #include "chrome/browser/win/chrome_process_finder.h"
+ #include "chrome/common/chrome_constants.h"
+ #include "chrome/common/chrome_paths.h"
+@@ -175,10 +177,15 @@ bool ProcessLaunchNotification(
+ }
+ 
+ bool DisplayShouldKillMessageBox() {
++#if 0
+   return chrome::ShowQuestionMessageBoxSync(
+              NULL, l10n_util::GetStringUTF16(IDS_PRODUCT_NAME),
+              l10n_util::GetStringUTF16(IDS_BROWSER_HUNGBROWSER_MESSAGE)) !=
+          chrome::MESSAGE_BOX_RESULT_NO;
++#endif
++  // This is called when the secondary process can't ping the primary
++  // process.
++  return false;
+ }
+ 
+ void SendRemoteProcessInteractionResultHistogram(
+@@ -260,9 +267,13 @@ bool ProcessSingleton::EscapeVirtualization(
+ }
+ 
+ ProcessSingleton::ProcessSingleton(
++    const std::string& program_name,
+     const base::FilePath& user_data_dir,
++    bool is_app_sandboxed,
+     const NotificationCallback& notification_callback)
+     : notification_callback_(notification_callback),
++      program_name_(program_name),
++      is_app_sandboxed_(is_app_sandboxed),
+       is_virtualized_(false),
+       lock_file_(INVALID_HANDLE_VALUE),
+       user_data_dir_(user_data_dir),
+@@ -366,11 +377,14 @@ ProcessSingleton::NotifyOtherProcessOrCreate() {
+   return PROFILE_IN_USE;
+ }
+ 
++void ProcessSingleton::StartListeningOnSocket() {}
++void ProcessSingleton::OnBrowserReady() {}
++
+ // Look for a Chrome instance that uses the same profile directory. If there
+ // isn't one, create a message window with its title set to the profile
+ // directory path.
+ bool ProcessSingleton::Create() {
+-  static const wchar_t kMutexName[] = L"Local\\ChromeProcessSingletonStartup!";
++  std::wstring mutexName = base::UTF8ToWide("Local\\" + program_name_ + "ProcessSingletonStartup");
+ 
+   remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
+   if (!remote_window_ && !EscapeVirtualization(user_data_dir_)) {
+@@ -379,7 +393,7 @@ bool ProcessSingleton::Create() {
+     // access. As documented, it's clearer to NOT request ownership on creation
+     // since it isn't guaranteed we will get it. It is better to create it
+     // without ownership and explicitly get the ownership afterward.
+-    base::win::ScopedHandle only_me(::CreateMutex(NULL, FALSE, kMutexName));
++    base::win::ScopedHandle only_me(::CreateMutex(NULL, FALSE, mutexName.c_str()));
+     if (!only_me.IsValid()) {
+       DPLOG(FATAL) << "CreateMutex failed";
+       return false;
+@@ -418,6 +432,17 @@ bool ProcessSingleton::Create() {
+             window_.CreateNamed(base::BindRepeating(&ProcessLaunchNotification,
+                                                     notification_callback_),
+                                 user_data_dir_.value());
++
++        // When the app is sandboxed, firstly, the app should not be in
++        // admin mode, and even if it somehow is, messages from an unelevated
++        // instance should not be able to be sent to it.
++        if (!is_app_sandboxed_) {
++          // NB: Ensure that if the primary app gets started as elevated
++          // admin inadvertently, secondary windows running not as elevated
++          // will still be able to send messages.
++          ::ChangeWindowMessageFilterEx(window_.hwnd(), WM_COPYDATA, MSGFLT_ALLOW,
++                                        NULL);
++        }
+         CHECK(result && window_.hwnd());
+       }
+     }

shell/app/command_line_args.cc

@@ -3,8 +3,12 @@
 // found in the LICENSE file.
 
 #include "shell/app/command_line_args.h"
+
 #include <locale>
 
+#include "sandbox/policy/switches.h"
+#include "shell/common/options_switches.h"
+
 namespace {
 
 bool IsUrlArg(const base::CommandLine::CharType* arg) {
@@ -51,4 +55,9 @@ bool CheckCommandLineArguments(int argc, base::CommandLine::CharType** argv) {
   return true;
 }
 
+bool IsSandboxEnabled(base::CommandLine* command_line) {
+  return command_line->HasSwitch(switches::kEnableSandbox) ||
+         !command_line->HasSwitch(sandbox::policy::switches::kNoSandbox);
+}
+
 }  // namespace electron

shell/app/command_line_args.h

@@ -10,6 +10,7 @@
 namespace electron {
 
 bool CheckCommandLineArguments(int argc, base::CommandLine::CharType** argv);
+bool IsSandboxEnabled(base::CommandLine* command_line);
 
 }  // namespace electron
 

shell/app/electron_main_delegate.cc

@@ -25,6 +25,7 @@
 #include "ipc/ipc_buildflags.h"
 #include "sandbox/policy/switches.h"
 #include "services/tracing/public/cpp/stack_sampling/tracing_sampler_profiler.h"
+#include "shell/app/command_line_args.h"
 #include "shell/app/electron_content_client.h"
 #include "shell/browser/electron_browser_client.h"
 #include "shell/browser/electron_gpu_client.h"
@@ -82,11 +83,6 @@ bool IsBrowserProcess(base::CommandLine* cmd) {
   return process_type.empty();
 }
 
-bool IsSandboxEnabled(base::CommandLine* command_line) {
-  return command_line->HasSwitch(switches::kEnableSandbox) ||
-         !command_line->HasSwitch(sandbox::policy::switches::kNoSandbox);
-}
-
 // Returns true if this subprocess type needs the ResourceBundle initialized
 // and resources loaded.
 bool SubprocessNeedsResourceBundle(const std::string& process_type) {

shell/browser/api/electron_api_app.cc

@@ -38,6 +38,7 @@
 #include "net/ssl/ssl_private_key.h"
 #include "sandbox/policy/switches.h"
 #include "services/network/network_service.h"
+#include "shell/app/command_line_args.h"
 #include "shell/browser/api/electron_api_menu.h"
 #include "shell/browser/api/electron_api_session.h"
 #include "shell/browser/api/electron_api_web_contents.h"
@@ -511,9 +512,9 @@ int GetPathConstant(const std::string& name) {
 
 bool NotificationCallbackWrapper(
     const base::RepeatingCallback<
-        void(const base::CommandLine::StringVector& command_line,
+        void(const base::CommandLine& command_line,
              const base::FilePath& current_directory)>& callback,
-    const base::CommandLine::StringVector& cmd,
+    const base::CommandLine& cmd,
     const base::FilePath& cwd) {
   // Make sure the callback is called after app gets ready.
   if (Browser::Get()->is_ready()) {
@@ -1067,9 +1068,9 @@ std::string App::GetLocaleCountryCode() {
   return region.size() == 2 ? region : std::string();
 }
 
-void App::OnSecondInstance(const base::CommandLine::StringVector& cmd,
+void App::OnSecondInstance(const base::CommandLine& cmd,
                            const base::FilePath& cwd) {
-  Emit("second-instance", cmd, cwd);
+  Emit("second-instance", cmd.argv(), cwd);
 }
 
 bool App::HasSingleInstanceLock() const {
@@ -1082,13 +1083,23 @@ bool App::RequestSingleInstanceLock() {
   if (HasSingleInstanceLock())
     return true;
 
+  std::string program_name = electron::Browser::Get()->GetName();
+
   base::FilePath user_dir;
   base::PathService::Get(chrome::DIR_USER_DATA, &user_dir);
 
   auto cb = base::BindRepeating(&App::OnSecondInstance, base::Unretained(this));
 
+#if defined(OS_WIN)
+  bool app_is_sandboxed =
+      IsSandboxEnabled(base::CommandLine::ForCurrentProcess());
+  process_singleton_ = std::make_unique<ProcessSingleton>(
+      program_name, user_dir, app_is_sandboxed,
+      base::BindRepeating(NotificationCallbackWrapper, cb));
+#else
   process_singleton_ = std::make_unique<ProcessSingleton>(
       user_dir, base::BindRepeating(NotificationCallbackWrapper, cb));
+#endif
 
   switch (process_singleton_->NotifyOtherProcessOrCreate()) {
     case ProcessSingleton::NotifyResult::LOCK_ERROR:

shell/browser/api/electron_api_app.h

@@ -188,7 +188,7 @@ class App : public ElectronBrowserClient::Delegate,
   void SetDesktopName(const std::string& desktop_name);
   std::string GetLocale();
   std::string GetLocaleCountryCode();
-  void OnSecondInstance(const base::CommandLine::StringVector& cmd,
+  void OnSecondInstance(const base::CommandLine& cmd,
                         const base::FilePath& cwd);
   bool HasSingleInstanceLock() const;
   bool RequestSingleInstanceLock();

spec-main/api-app-spec.ts

@@ -240,11 +240,12 @@ describe('app module', () => {
       expect(code1).to.equal(0);
       const data2 = (await data2Promise)[0].toString('ascii');
       const secondInstanceArgsReceived: string[] = JSON.parse(data2.toString('ascii'));
-      const expected = process.platform === 'win32'
+
-        ? [process.execPath, '--some-switch', '--allow-file-access-from-files', appPath, 'some-arg']
+      // Ensure secondInstanceArgs is a subset of secondInstanceArgsReceived
-        : secondInstanceArgs;
+      for (const arg of secondInstanceArgs) {
-      expect(secondInstanceArgsReceived).to.eql(expected,
+        expect(secondInstanceArgsReceived).to.include(arg,
-        `expected ${JSON.stringify(expected)} but got ${data2.toString('ascii')}`);
+          `argument ${arg} is missing from received second args`);
+      }
     });
   });