electron/patches/chromium/support_mixed_sandbox_with_zygote.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Wed, 28 Nov 2018 13:20:27 -0800
Subject: support_mixed_sandbox_with_zygote.patch

On Linux, Chromium launches all new renderer processes via a "zygote"
process which has the sandbox pre-initialized (see
//docs/linux_zygote.md). In order to support mixed-sandbox mode, in
which some renderers are launched with the sandbox engaged and others
without it, we need the option to launch non-sandboxed renderers without
going through the zygote.

Chromium already supports a `--no-zygote` flag, but it turns off the
zygote completely, and thus also disables sandboxing. This patch allows
the `--no-zygote` flag to affect renderer processes on a case-by-case
basis, checking immediately prior to launch whether to go through the
zygote or not based on the command-line of the to-be-launched renderer.

This patch could conceivably be upstreamed, as it does not affect
production Chromium (which does not use the `--no-zygote` flag).
However, the patch would need to be reviewed by the security team, as it
does touch a security-sensitive class.

diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index 9beff8728eba07fe5bbb50701dcec78d61149fde..618700cc99de3174b9de9bc26abcaac5880ec21e 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -416,6 +416,11 @@ class RendererSandboxedProcessLauncherDelegate
   {
   }
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  RendererSandboxedProcessLauncherDelegate(bool use_zygote):
+    use_zygote_(use_zygote) {}
+#endif
+
   ~RendererSandboxedProcessLauncherDelegate() override {}
 
 #if defined(OS_WIN)
@@ -437,6 +442,9 @@ class RendererSandboxedProcessLauncherDelegate
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
   service_manager::ZygoteHandle GetZygote() override {
+    if (!use_zygote_) {
+      return nullptr;
+    }
     const base::CommandLine& browser_command_line =
         *base::CommandLine::ForCurrentProcess();
     base::CommandLine::StringType renderer_prefix =
@@ -451,10 +459,13 @@ class RendererSandboxedProcessLauncherDelegate
     return service_manager::SandboxType::kRenderer;
   }
 
-#if defined(OS_WIN)
  private:
+#if defined(OS_WIN)
   const bool renderer_code_integrity_enabled_;
 #endif
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  bool use_zygote_ = true;
+#endif
 };
 
 const char kSessionStorageHolderKey[] = "kSessionStorageHolderKey";
@@ -1822,11 +1833,18 @@ bool RenderProcessHostImpl::Init() {
       cmd_line->PrependWrapper(renderer_prefix);
     AppendRendererCommandLine(cmd_line.get());
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+    bool use_zygote = !cmd_line->HasSwitch(switches::kNoZygote);
+    auto delegate = std::make_unique<RendererSandboxedProcessLauncherDelegate>(use_zygote);
+#else
+    auto delegate = std::make_unique<RendererSandboxedProcessLauncherDelegate>();
+#endif
+
     // Spawn the child process asynchronously to avoid blocking the UI thread.
     // As long as there's no renderer prefix, we can use the zygote process
     // at this stage.
     child_process_launcher_ = std::make_unique<ChildProcessLauncher>(
-        std::make_unique<RendererSandboxedProcessLauncherDelegate>(),
+        std::move(delegate),
         std::move(cmd_line), GetID(), this, std::move(mojo_invitation_),
         base::BindRepeating(&RenderProcessHostImpl::OnMojoError, id_),
         GetV8SnapshotFilesToPreload());