add --no-sandbox to zygote

electron · Nov 12, 2018 · 0f77136 · 0f77136
1 parent e0418d7
commit 0f77136
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/atom/app/atom_main_delegate.cc b/atom/app/atom_main_delegate.cc
@@ -27,6 +27,7 @@
 #include "ipc/ipc_buildflags.h"
 #include "services/service_manager/embedder/switches.h"
 #include "services/service_manager/sandbox/switches.h"
+#include "services/service_manager/zygote/common/zygote_buildflags.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/ui_base_switches.h"
@@ -213,6 +214,15 @@ void AtomMainDelegate::PreSandboxStartup() {
   // linux(namespace sandbox is available on most distros).
   command_line->AppendSwitch(service_manager::switches::kDisableSetuidSandbox);
 
+#if BUILDFLAG(USE_ZYGOTE_HANDLE)
+  // When using the zygote, we must launch the zygote with --no-sandbox if the
+  // renderers should be unsandboxed. Mixed-sandbox mode is not supported when
+  // using the zygote.
+  if (!command_line->HasSwitch(switches::kEnableSandbox)) {
+    command_line->AppendSwitch(service_manager::switches::kNoSandbox);
+  }
+#endif
+
   // Allow file:// URIs to read other file:// URIs by default.
   command_line->AppendSwitch(::switches::kAllowFileAccessFromFiles);