[Feature] no-sandbox on Linux

Question

[Feature] no-sandbox on Linux

pronebird opened this issue 5 years ago · 2 comments

Version: 21.2.0

Target: Linux

Since the suid bit fix was recently merged in 7c2881e, I propose adding a noSandbox option to Linux targets which would do the following:

Remove the chrome-sandbox before packaging the app.
Rename the Electron binary and replace it with a shell script that runs the original binary with --no-sandbox flag.
Run chmod 4755 chrome-sandbox conditionally only if compiled with noSandbox: true 7c2881e#diff-90356ee68ca9eb82e7e254a31921a291R7

The current workaround we use for Linux to disable the sandbox:

const path = require('path');
const fs = require('fs');
const builder = require('electron-builder');
const util = require('util');

const renameAsync = util.promisify(fs.rename);
const unlinkAsync = util.promisify(fs.unlink);

builder.build({
    targets: builder.Platform.LINUX.createTarget(),
    config: {
      afterPack: (context) => {
        const sourceExecutable = path.join(context.appOutDir, 'my-app');
        const targetExecutable = path.join(context.appOutDir, 'the-real-app');
        const launcherScript = path.join(context.appOutDir, 'launcher-script.sh');
        const chromeSandbox = path.join(context.appOutDir, 'chrome-sandbox');

        return Promise.all([
          // rename my-app to the-real-app
          renameAsync(sourceExecutable, targetExecutable),

          // rename launcher script to my-app
          renameAsync(launcherScript, sourceExecutable),

          // remove the chrome-sandbox file since we explicitly disable it
          unlinkAsync(chromeSandbox),
        ]);
      },
    },
  });

The launcher shell script looks as following:

#!/usr/bin/env bash
set -eu

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec "$SCRIPT_DIR/the-real-app" --no-sandbox "$@"

Answer 1 · 2019-11-12T10:44:08.000Z

The sandbox can be disabled only when unprivileged user namespaces are disabled in the kernel.

#!/usr/bin/env bash
set -ex

UNPRIVILEGED_USERNS_ENABLED=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec "$SCRIPT_DIR/the-real-app" "$([[ $UNPRIVILEGED_USERNS_ENABLED == 0 ]] && echo '--no-sandbox')" "$@"

Answer 2 · 2020-01-11T10:53:16.000Z

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.