Skip to content
Permalink
Browse files

add --no-sandbox to zygote

  • Loading branch information...
nornagon committed Nov 12, 2018
1 parent e0418d7 commit 0f77136eeebda61a6cbc0b604cf268e80fc9a4dc
Showing with 10 additions and 0 deletions.
  1. +10 −0 atom/app/atom_main_delegate.cc
@@ -27,6 +27,7 @@
#include "ipc/ipc_buildflags.h"
#include "services/service_manager/embedder/switches.h"
#include "services/service_manager/sandbox/switches.h"
#include "services/service_manager/zygote/common/zygote_buildflags.h"
#include "ui/base/l10n/l10n_util.h"
#include "ui/base/resource/resource_bundle.h"
#include "ui/base/ui_base_switches.h"
@@ -213,6 +214,15 @@ void AtomMainDelegate::PreSandboxStartup() {
// linux(namespace sandbox is available on most distros).
command_line->AppendSwitch(service_manager::switches::kDisableSetuidSandbox);

#if BUILDFLAG(USE_ZYGOTE_HANDLE)
// When using the zygote, we must launch the zygote with --no-sandbox if the
// renderers should be unsandboxed. Mixed-sandbox mode is not supported when
// using the zygote.
if (!command_line->HasSwitch(switches::kEnableSandbox)) {
command_line->AppendSwitch(service_manager::switches::kNoSandbox);
}
#endif

// Allow file:// URIs to read other file:// URIs by default.
command_line->AppendSwitch(::switches::kAllowFileAccessFromFiles);

0 comments on commit 0f77136

Please sign in to comment.
You can’t perform that action at this time.