--enable-sandbox required for proper sandboxing? #11631
Description
I'm wondering if --enable-sandbox is required to create sandboxed renderer processes?
I'm pretty sure it has to, but I'd like to confirm.
In other words does configuration "sandbox: true" when used in BrowserWindow create a sandboxed renderer process or does it create compatibility for the sandbox, and still requires --enable-sandbox to be passed to initial "electron"/browser process?
electron --enable-sandbox main.js
user@host:~/projects/electron-sandbox$ ps aux | grep "electron"
user 24157 1.0 0.7 611760 23944 pts/0 Sl+ 21:43 0:00 node /home/user/.nvm/versions/node/v6.11.5/bin/electron --enable-sandbox main.js
user 24163 5.2 2.9 1139608 91316 pts/0 Sl+ 21:43 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --enable-sandbox main.js
user 24166 0.2 0.9 323776 29584 pts/0 S+ 21:43 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote
user 24168 0.0 0.2 323776 8544 pts/0 S+ 21:43 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote
user 24200 1.4 2.1 701380 65928 pts/0 Sl+ 21:43 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=renderer --primordial-pipe-token=675D8E4A0814441B121B11D8B93DCF50 --lang=en-US --enable-sandbox --app-path=/home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/resources/default_app.asar --node-integration=false --webview-tag=false --enable-sandbox --preload=/home/user/projects/electron-sandbox/preload-simple.js --context-isolation --enable-pinch --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --service-request-channel-token=675D8E4A0814441B121B11D8B93DCF50 --renderer-client-id=4 --shared-files=v8_natives_data:100,v8_snapshot_data:101
user 24212 0.0 0.0 12728 2216 pts/1 S+ 21:43 0:00 grep electron
So this is where it gets interesting..
electron main.js
user@host:~/projects/electron-sandbox$ ps aux | grep "electron"
user 23861 0.1 0.7 611760 24076 pts/0 Sl+ 21:41 0:00 node /home/user/.nvm/versions/node/v6.11.5/bin/electron main.js
user 23867 0.4 2.8 1139608 90340 pts/0 Sl+ 21:41 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron main.js
user 23869 0.0 0.9 323776 28772 pts/0 S+ 21:41 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote --no-sandbox
user 23900 0.1 2.0 964548 64772 pts/0 Sl+ 21:41 0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=renderer --no-sandbox --primordial-pipe-token=C5B3996EEBA73B8B7BD3E0B824ABE86A --lang=en-US --app-path=/home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/resources/default_app.asar --node-integration=false --webview-tag=false --enable-sandbox --preload=/home/user/projects/electron-sandbox/preload-simple.js --context-isolation --enable-pinch --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --service-request-channel-token=C5B3996EEBA73B8B7BD3E0B824ABE86A --renderer-client-id=4 --shared-files=v8_natives_data:100,v8_snapshot_data:101
user 24012 0.0 0.0 12728 2188 pts/1 S+ 21:42 0:00 grep electron
--no-sandbox ....... --node-integration=false --webview-tag=false --enable-sandbox
The main.js contains code along the likes of:
win = new BrowserWindow({
webPreferences: {
....
sandbox: true,
.....
}
});
Seemingly conflicting parameters.
Also an additional browser/zygote process has been spawned for the OS-enforced sandboxed version.
boil
If you know the answer, please take the time, I'm building a repository electron-sandbox-boilerplate that aims to educate people about these kinds of things. kewde/electron-sandbox-boilerplate#3