enable v2 sandbox

BUILD.gn

@@ -622,7 +622,9 @@ if (is_mac) {
     output_name = electron_helper_name
     deps = [
       ":electron_framework+link",
+      "//sandbox/mac:seatbelt",
     ]
+    defines = [ "HELPER_EXECUTABLE" ]
     sources = filenames.app_sources
     include_dirs = [ "." ]
     info_plist = "atom/renderer/resources/mac/Info.plist"
@@ -631,6 +633,12 @@ if (is_mac) {
       "-rpath",
       "@executable_path/../../..",
     ]
+    if (is_component_build) {
+      ldflags += [
+        "-rpath",
+        "@executable_path/../../../../../..",
+      ]
+    }
   }
 
   bundle_data("electron_app_framework_bundle_data") {

atom/app/atom_main.cc

@@ -5,6 +5,7 @@
 #include "atom/app/atom_main.h"
 
 #include <cstdlib>
+#include <memory>
 #include <vector>
 
 #if defined(OS_WIN)
@@ -30,6 +31,7 @@
 #include "atom/app/atom_main_delegate.h"  // NOLINT
 #include "content/public/app/content_main.h"
 #else  // defined(OS_LINUX)
+#include <mach-o/dyld.h>
 #include <unistd.h>
 #include <cstdio>
 #include "atom/app/atom_library_main.h"
@@ -41,6 +43,10 @@
 #include "base/i18n/icu_util.h"
 #include "electron/buildflags/buildflags.h"
 
+#if defined(HELPER_EXECUTABLE)
+#include "sandbox/mac/seatbelt_exec.h"  // nogncheck
+#endif                                  // defined(HELPER_EXECUTABLE)
+
 namespace {
 
 #if BUILDFLAG(ENABLE_RUN_AS_NODE)
@@ -207,6 +213,35 @@ int main(int argc, char* argv[]) {
   }
 #endif
 
+#if defined(HELPER_EXECUTABLE)
+  uint32_t exec_path_size = 0;
+  int rv = _NSGetExecutablePath(NULL, &exec_path_size);
+  if (rv != -1) {
+    fprintf(stderr, "_NSGetExecutablePath: get length failed\n");
+    abort();
+  }
+
+  std::unique_ptr<char[]> exec_path(new char[exec_path_size]);
+  rv = _NSGetExecutablePath(exec_path.get(), &exec_path_size);
+  if (rv != 0) {
+    fprintf(stderr, "_NSGetExecutablePath: get path failed\n");
+    abort();
+  }
+  sandbox::SeatbeltExecServer::CreateFromArgumentsResult seatbelt =
+      sandbox::SeatbeltExecServer::CreateFromArguments(exec_path.get(), argc,
+                                                       argv);
+  if (seatbelt.sandbox_required) {
+    if (!seatbelt.server) {
+      fprintf(stderr, "Failed to create seatbelt sandbox server.\n");
+      abort();
+    }
+    if (!seatbelt.server->InitializeSandbox()) {
+      fprintf(stderr, "Failed to initialize sandbox.\n");
+      abort();
+    }
+  }
+#endif
+
   return AtomMain(argc, argv);
 }
 

atom/browser/atom_browser_main_parts.cc

@@ -198,13 +198,6 @@ void AtomBrowserMainParts::InitializeFeatureList() {
       cmd_line->GetSwitchValueASCII(::switches::kEnableFeatures);
   auto disable_features =
       cmd_line->GetSwitchValueASCII(::switches::kDisableFeatures);
-#if defined(OS_MACOSX)
-  // Disable the V2 sandbox on macOS.
-  // Chromium is going to use the system sandbox API of macOS for the sandbox
-  // implmentation, we may have to deprecate --mixed-sandbox for macOS once
-  // Chromium drops support for the old sandbox implmentation.
-  disable_features += std::string(",") + features::kMacV2Sandbox.name;
-#endif
   // Disable creation of spare renderer process with site-per-process mode,
   // it interferes with our process preference tracking for non sandboxed mode.
   // Can be reenabled when our site instance policy is aligned with chromium