New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add ELECTRON_DISABLE_SANDBOX env var #16576

Merged
merged 1 commit into from Jan 29, 2019

Conversation

3 participants
@nornagon
Copy link
Contributor

nornagon commented Jan 28, 2019

Description of Change

This is to support easy disabling of sandboxing in CI environments, particularly on Linux where running CI inside docker is common, and Chrome's sandboxing technique conflicts with docker's default seccomp profile.

There have been concerns raised over whether this is a potential attack vector (e.g. an attacker who had control over the app's environment could set this variable to permit escalation), but I think there exist other easier routes to escalation if you have control over the environment, e.g. LD_PRELOAD or PATH.

Checklist

Release Notes

Notes: Added ELECTRON_DISABLE_SANDBOX environment variable to make it easier to disable sandboxing in Docker-based Linux CI environments.

@nornagon nornagon requested review from ckerr and jkleinsc Jan 28, 2019

@nornagon nornagon requested a review from electron/reviewers as a code owner Jan 28, 2019

@nornagon nornagon referenced this pull request Jan 28, 2019

Closed

test: run tests without sandbox on arm #16515

3 of 5 tasks complete
@zcbenz

zcbenz approved these changes Jan 29, 2019

@zcbenz zcbenz merged commit 257de6a into master Jan 29, 2019

19 of 20 checks passed

appveyor: win-ia32-testing AppVeyor build failed
Details
Absolute Zero
Semantic Pull Request ready to be squashed
Details
appveyor: win-ia32-debug AppVeyor build succeeded
Details
appveyor: win-ia32-testing-pr AppVeyor build succeeded
Details
appveyor: win-x64-debug AppVeyor build succeeded
Details
appveyor: win-x64-testing AppVeyor build succeeded
Details
appveyor: win-x64-testing-pr AppVeyor build succeeded
Details
ci/circleci: linux-arm-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-arm64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-checkout Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-ia32-testing-tests Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-debug Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing Your tests passed on CircleCI!
Details
ci/circleci: linux-x64-testing-tests Your tests passed on CircleCI!
Details
release-notes Release notes found
@release-clerk

This comment has been minimized.

Copy link

release-clerk bot commented Jan 29, 2019

Release Notes Persisted

Added ELECTRON_DISABLE_SANDBOX environment variable to make it easier to disable sandboxing in Docker-based Linux CI environments.

@zcbenz zcbenz deleted the disable-sandbox-envvar branch Jan 29, 2019

@nornagon

This comment has been minimized.

Copy link
Contributor Author

nornagon commented Jan 31, 2019

/trop run backport

@trop

This comment has been minimized.

Copy link
Contributor

trop bot commented Jan 31, 2019

The backport process for this PR has been manually initiated, here we go! :D

@trop

This comment has been minimized.

Copy link
Contributor

trop bot commented Jan 31, 2019

I have automatically backported this PR to "5-0-x", please check out #16662

@sofianguy sofianguy added this to 5.0.0-beta.2 in 5.0.x Feb 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment