Skip to content

Commit

Permalink
fix(linux): Don't setuid chrome-sandbox when not required (#8368)
Browse files Browse the repository at this point in the history
This is not necessary in many environments, so we now test for whether this is required and then enable it only when necessary.
  • Loading branch information
pimterry authored Jul 22, 2024
1 parent c653ebb commit 2acdf65
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .changeset/purple-terms-sing.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"app-builder-lib": patch
---

fix: don't setuid chrome-sandbox when not required
9 changes: 7 additions & 2 deletions packages/app-builder-lib/templates/linux/after-install.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,13 @@ else
ln -sf '/opt/${sanitizedProductName}/${executable}' '/usr/bin/${executable}'
fi

# SUID chrome-sandbox for Electron 5+
chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
# Check if user namespaces are supported by the kernel and working with a quick test:
if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
# Use SUID chrome-sandbox only on systems without user namespaces:
chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
else
chmod 0755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
fi

if hash update-mime-database 2>/dev/null; then
update-mime-database /usr/share/mime || true
Expand Down
9 changes: 7 additions & 2 deletions test/snapshots/linux/debTest.js.snap
Original file line number Diff line number Diff line change
Expand Up @@ -530,8 +530,13 @@ else
ln -sf '/opt/foo/Boo' '/usr/bin/Boo'
fi
# SUID chrome-sandbox for Electron 5+
chmod 4755 '/opt/foo/chrome-sandbox' || true
# Check if user namespaces are supported by the kernel and working with a quick test:
if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
# Use SUID chrome-sandbox only on systems without user namespaces:
chmod 4755 '/opt/foo/chrome-sandbox' || true
else
chmod 0755 '/opt/foo/chrome-sandbox' || true
fi
if hash update-mime-database 2>/dev/null; then
update-mime-database /usr/share/mime || true
Expand Down

0 comments on commit 2acdf65

Please sign in to comment.