electron/patches/chromium/support_mixed_sandbox_with_zygote.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Wed, 28 Nov 2018 13:20:27 -0800
Subject: support_mixed_sandbox_with_zygote.patch

On Linux, Chromium launches all new renderer processes via a "zygote"
process which has the sandbox pre-initialized (see
//docs/linux_zygote.md). In order to support mixed-sandbox mode, in
which some renderers are launched with the sandbox engaged and others
without it, we need the option to launch non-sandboxed renderers without
going through the zygote.

Chromium already supports a `--no-zygote` flag, but it turns off the
zygote completely, and thus also disables sandboxing. This patch allows
the `--no-zygote` flag to affect renderer processes on a case-by-case
basis, checking immediately prior to launch whether to go through the
zygote or not based on the command-line of the to-be-launched renderer.

This patch could conceivably be upstreamed, as it does not affect
production Chromium (which does not use the `--no-zygote` flag).
However, the patch would need to be reviewed by the security team, as it
does touch a security-sensitive class.

diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index 0947bc416a00ac23c1d26fdc85baf28e634f419e..57639004908694d5d4a247ee23446b05b9ac0b14 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -1764,9 +1764,15 @@ bool RenderProcessHostImpl::Init() {
     std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
         std::make_unique<RendererSandboxedProcessLauncherDelegateWin>(
             cmd_line.get(), IsJitDisabled());
+#else
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+    bool use_zygote = !cmd_line->HasSwitch(switches::kNoZygote);
+    std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
+        std::make_unique<RendererSandboxedProcessLauncherDelegate>(use_zygote);
 #else
     std::unique_ptr<SandboxedProcessLauncherDelegate> sandbox_delegate =
         std::make_unique<RendererSandboxedProcessLauncherDelegate>();
+#endif
 #endif
 
     auto file_data = std::make_unique<ChildProcessLauncherFileData>();
diff --git a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
index 02542d2d1c739cd4452381a11759fd23c513b551..68f69a75177792956c3e41fc85f6023452191367 100644
--- a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
+++ b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.cc
@@ -31,6 +31,9 @@ namespace content {
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
 ZygoteHandle RendererSandboxedProcessLauncherDelegate::GetZygote() {
+  if (!use_zygote_) {
+    return nullptr;
+  }
   const base::CommandLine& browser_command_line =
       *base::CommandLine::ForCurrentProcess();
   base::CommandLine::StringType renderer_prefix =
@@ -60,6 +63,9 @@ RendererSandboxedProcessLauncherDelegateWin::
           GetContentClient()->browser()->IsRendererCodeIntegrityEnabled()),
       renderer_app_container_disabled_(
           GetContentClient()->browser()->IsRendererAppContainerDisabled()) {
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  use_zygote_ = !cmd_line->HasSwitch(switches::kNoZygote);
+#endif
   if (is_jit_disabled) {
     dynamic_code_can_be_disabled_ = true;
     return;
diff --git a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
index d820cb4ff004194d9c18bfddaf90bf520e8446ff..0dcffcf367b5d08bb31b68e648c1f4ce3aa15600 100644
--- a/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
+++ b/content/browser/renderer_host/renderer_sandboxed_process_launcher_delegate.h
@@ -18,6 +18,11 @@ class CONTENT_EXPORT RendererSandboxedProcessLauncherDelegate
  public:
   RendererSandboxedProcessLauncherDelegate() = default;
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  RendererSandboxedProcessLauncherDelegate(bool use_zygote):
+    use_zygote_(use_zygote) {}
+#endif
+
   ~RendererSandboxedProcessLauncherDelegate() override = default;
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
@@ -29,6 +34,11 @@ class CONTENT_EXPORT RendererSandboxedProcessLauncherDelegate
 #endif  // BUILDFLAG(IS_MAC)
 
   sandbox::mojom::Sandbox GetSandboxType() override;
+
+ private:
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  bool use_zygote_ = true;
+#endif
 };
 
 #if BUILDFLAG(IS_WIN)