feat: enable setuid sandbox on linux

[nornagon]

Description of Change

This change enables the setuid sandbox on Linux. This allows Electron to run sandboxed in environments that disable CLONE_NEWUSER for unprivileged users (e.g. docker without CAP_SYS_ADMIN, and Arch Linux).

Closes #16631.

Checklist

• PR description included and stakeholders cc'd
• npm test passes
• tests are changed or added
• relevant documentation is changed or added
• PR title follows semantic commit guidelines
• PR release notes describe the change in a way relevant to app developers, and are capitalized, punctuated, and past tense.

Release Notes

Notes: Enabled the setuid sandbox on Linux, allowing Electron to launch sandboxed processes in environments that disable CLONE_NEWUSER for unprivileged users.

[nornagon]

This is a draft PR because it doesn't yet address the distribution side of this change. Specifically, in order to work correctly, the chrome_sandbox executable must be:

• named chrome-sandbox, in the same directory as the electron executable,
• owned by root, and
• have permission mask 4755 set.

If the above conditions are not met, the sandbox will not function. Chrome solves this problem during installation: the deb file distribution has those permissions encoded. We'll need to do something similar for both npm installed versions of Electron and versions that are packaged for distribution.

[nornagon]

Ref. electron-userland/electron-installer-debian#184

[nornagon]

Also Ref. electron-userland/electron-installer-redhat#112

[nornagon]

Requesting review from @electron/wg-security and @zcbenz

[MarshallOfSound]

Is it possible to support renaming of this binary to something static like electron_sandbox or even dynamic and based on the current binaries name?

E.g. myapp_sandbox

Not a deal breaker and this is literally just aesthetics

[deepak1556]

LGTM on build config changes.

[deepak1556]

Is it possible to support renaming of this binary to something static like electron_sandbox

Its hardcoded in upstream SetuidSandboxHost::GetSandboxBinaryPath(), will be a patch.

[nornagon]

it would be relatively easy but questionably valuable to rename the binary to something like electron-sandbox. it would be an unreasonable amount of work to make it dynamic.

[MarshallOfSound]

If it requires a patch to make it electron and too much work + patches to make it dynamic then I'm 👍 on this change. Worth asking the question 😄

[release-clerk]

Release Notes Persisted

Enabled the setuid sandbox on Linux, allowing Electron to launch sandboxed processes in environments that disable CLONE_NEWUSER for unprivileged users.

[malept]

Can we get this backported to 5-0-x?

[nornagon]

/trop run backport-to 5-0-x

[trop]

The backport process for this PR has been manually initiated,
sending your 1's and 0's to "5-0-x" here we go! :D

[trop]

I have automatically backported this PR to "5-0-x", please check out #17343