зеркало из https://github.com/electron/electron.git
31 строка
1.5 KiB
Diff
31 строка
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jeremy Apthorp <nornagon@nornagon.net>
|
|
Date: Mon, 26 Aug 2019 12:02:51 -0700
|
|
Subject: allow new privileges in unsandboxed child processes
|
|
|
|
This allows unsandboxed renderers to launch setuid processes on Linux.
|
|
|
|
diff --git a/content/browser/child_process_launcher_helper_linux.cc b/content/browser/child_process_launcher_helper_linux.cc
|
|
index f60ad777ab7698a4518d3b1b61ade29e7c618a3a..c7781bdb49f8a92aa9ee1d8dd1af03fa9cf2dfe3 100644
|
|
--- a/content/browser/child_process_launcher_helper_linux.cc
|
|
+++ b/content/browser/child_process_launcher_helper_linux.cc
|
|
@@ -53,6 +53,18 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
|
|
if (GetProcessType() == switches::kRendererProcess) {
|
|
const int sandbox_fd = SandboxHostLinux::GetInstance()->GetChildSocket();
|
|
options->fds_to_remap.push_back(std::make_pair(sandbox_fd, GetSandboxFD()));
|
|
+
|
|
+ // (For Electron), if we're launching without zygote, that means we're
|
|
+ // launching an unsandboxed process (since all sandboxed processes are
|
|
+ // forked from the zygote). Relax the allow_new_privs option to permit
|
|
+ // launching suid processes from unsandboxed renderers.
|
|
+ ZygoteHandle zygote_handle =
|
|
+ base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoZygote)
|
|
+ ? nullptr
|
|
+ : delegate_->GetZygote();
|
|
+ if (!zygote_handle) {
|
|
+ options->allow_new_privs = true;
|
|
+ }
|
|
}
|
|
|
|
options->environment = delegate_->GetEnvironment();
|