chore: enable v2 sandbox on mac (#15647)

BUILD.gn

@@ -623,7 +623,9 @@ if (is_mac) {
     output_name = electron_helper_name
     deps = [
       ":electron_framework+link",
+      "//sandbox/mac:seatbelt",
     ]
+    defines = [ "HELPER_EXECUTABLE" ]
     sources = filenames.app_sources
     include_dirs = [ "." ]
     info_plist = "atom/renderer/resources/mac/Info.plist"
@@ -632,6 +634,12 @@ if (is_mac) {
       "-rpath",
       "@executable_path/../../..",
     ]
+    if (is_component_build) {
+      ldflags += [
+        "-rpath",
+        "@executable_path/../../../../../..",
+      ]
+    }
   }
 
   bundle_data("electron_app_framework_bundle_data") {

atom/app/atom_main.cc

@@ -5,6 +5,7 @@
 #include "atom/app/atom_main.h"
 
 #include <cstdlib>
+#include <memory>
 #include <vector>
 
 #if defined(OS_WIN)
@@ -30,6 +31,7 @@
 #include "atom/app/atom_main_delegate.h"  // NOLINT
 #include "content/public/app/content_main.h"
 #else  // defined(OS_LINUX)
+#include <mach-o/dyld.h>
 #include <unistd.h>
 #include <cstdio>
 #include "atom/app/atom_library_main.h"
@@ -41,6 +43,10 @@
 #include "base/i18n/icu_util.h"
 #include "electron/buildflags/buildflags.h"
 
+#if defined(HELPER_EXECUTABLE)
+#include "sandbox/mac/seatbelt_exec.h"  // nogncheck
+#endif                                  // defined(HELPER_EXECUTABLE)
+
 namespace {
 
 #if BUILDFLAG(ENABLE_RUN_AS_NODE)
@@ -207,6 +213,35 @@ int main(int argc, char* argv[]) {
   }
 #endif
 
+#if defined(HELPER_EXECUTABLE)
+  uint32_t exec_path_size = 0;
+  int rv = _NSGetExecutablePath(NULL, &exec_path_size);
+  if (rv != -1) {
+    fprintf(stderr, "_NSGetExecutablePath: get length failed\n");
+    abort();
+  }
+
+  std::unique_ptr<char[]> exec_path(new char[exec_path_size]);
+  rv = _NSGetExecutablePath(exec_path.get(), &exec_path_size);
+  if (rv != 0) {
+    fprintf(stderr, "_NSGetExecutablePath: get path failed\n");
+    abort();
+  }
+  sandbox::SeatbeltExecServer::CreateFromArgumentsResult seatbelt =
+      sandbox::SeatbeltExecServer::CreateFromArguments(exec_path.get(), argc,
+                                                       argv);
+  if (seatbelt.sandbox_required) {
+    if (!seatbelt.server) {
+      fprintf(stderr, "Failed to create seatbelt sandbox server.\n");
+      abort();
+    }
+    if (!seatbelt.server->InitializeSandbox()) {
+      fprintf(stderr, "Failed to initialize sandbox.\n");
+      abort();
+    }
+  }
+#endif
+
   return AtomMain(argc, argv);
 }
 

atom/browser/atom_browser_main_parts.cc

@@ -198,13 +198,6 @@ void AtomBrowserMainParts::InitializeFeatureList() {
       cmd_line->GetSwitchValueASCII(::switches::kEnableFeatures);
   auto disable_features =
       cmd_line->GetSwitchValueASCII(::switches::kDisableFeatures);
-#if defined(OS_MACOSX)
-  // Disable the V2 sandbox on macOS.
-  // Chromium is going to use the system sandbox API of macOS for the sandbox
-  // implmentation, we may have to deprecate --mixed-sandbox for macOS once
-  // Chromium drops support for the old sandbox implmentation.
-  disable_features += std::string(",") + features::kMacV2Sandbox.name;
-#endif
   // Disable creation of spare renderer process with site-per-process mode,
   // it interferes with our process preference tracking for non sandboxed mode.
   // Can be reenabled when our site instance policy is aligned with chromium

patches/common/chromium/.patches

@@ -72,6 +72,5 @@ customizable_app_indicator_id_prefix.patch
 cross_site_document_resource_handler.patch
 content_allow_embedder_to_prevent_locking_scheme_registry.patch
 fix_trackpad_scrolling.patch
-mac_fix_form_control_rendering_on_10_14_mojave.patch
 support_mixed_sandbox_with_zygote.patch
 disable_color_correct_rendering.patch

patches/common/chromium/mac_fix_form_control_rendering_on_10_14_mojave.patch

@@ -1,90 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: deepak1556 <[email protected]>
-Date: Tue, 27 Nov 2018 04:32:18 +0530
-Subject: [Mac] Fix form control rendering on 10.14 Mojave.
-
-Backports https://crrev.com/c/1106298/ and https://crrev.com/c/1130163/
-with changes required for v1 sandbox on macOS.
-
-This can be removed after enabling seatbelt sandbox v2
-
-diff --git a/services/service_manager/sandbox/mac/common.sb b/services/service_manager/sandbox/mac/common.sb
-index 0e90c9ab2f61aacceb1ca60893445881339b834a..b7dc1998df0f42cc58d24f2233a929810244440e 100644
---- a/services/service_manager/sandbox/mac/common.sb
-+++ b/services/service_manager/sandbox/mac/common.sb
-@@ -19,6 +19,7 @@
- (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
- (define elcap-or-later "ELCAP_OR_LATER")
- (define macos-1013 "MACOS_1013")
-+(define os-version (string->number (param "OS_VERSION")))
- 
- ; Consumes a subpath and appends it to the user's homedir path.
- (define (user-homedir-path subpath)
-diff --git a/services/service_manager/sandbox/mac/renderer.sb b/services/service_manager/sandbox/mac/renderer.sb
-index 09f142e19c2cb2ba8fb3fbcd2df1684899ae1c16..7e56b3fa582afcaa4a4862246553c0fbdf520e6a 100644
---- a/services/service_manager/sandbox/mac/renderer.sb
-+++ b/services/service_manager/sandbox/mac/renderer.sb
-@@ -12,6 +12,7 @@
- (allow mach-lookup (global-name "com.apple.FontObjectsServer"))
- (allow mach-lookup (global-name "com.apple.FontServer"))
- (allow mach-lookup (global-name "com.apple.fonts"))
-+(allow mach-lookup (global-name "com.apple.cvmsServ")) ; https://crbug.com/850021
- (allow file-read* (extension "com.apple.app-sandbox.read")) ; https://crbug.com/662686
- 
- ; Allow read-only connection to launchservicesd. https://crbug.com/533537
-@@ -41,6 +42,19 @@
-          (allow file-read-data (subpath "/usr/share/zoneinfo.default")))
-   (allow file-read-data (subpath "/usr/share/zoneinfo")))
- 
-+; Reads of signed Mach-O blobs created by the CVMS server.
-+; https://crbug.com/850021
-+(if (>= os-version 1014)
-+  (allow file-read*
-+    (extension "com.apple.cvms.kernel")
-+    (prefix "/private/tmp/cvmsCodeSignObj")
-+    (subpath "/private/var/db/CVMS")))
-+
-+; Reads from /Library.
-+; https://crbug.com/850021
-+(allow file-read-data
-+  (subpath "/Library/GPUBundles"))
-+
- ; Allow access to the metadata of the /etc symlink.
- (allow file-read-metadata (path "/etc"))
- ; Allow access to the symlink target as well.
-diff --git a/services/service_manager/sandbox/mac/sandbox_mac.mm b/services/service_manager/sandbox/mac/sandbox_mac.mm
-index d69fcc0d4c5c2471163280c03a9fd9366e05031d..cdd7b7f6723162d6875c4d11379837708bdde79d 100644
---- a/services/service_manager/sandbox/mac/sandbox_mac.mm
-+++ b/services/service_manager/sandbox/mac/sandbox_mac.mm
-@@ -81,6 +81,21 @@
-                   size_t(SANDBOX_TYPE_AFTER_LAST_TYPE),
-               "sandbox type to resource id mapping incorrect");
- 
-+// Produce the OS version as an integer "1010", etc. and pass that to the
-+// profile. The profile converts the string back to a number and can do
-+// comparison operations on OS version.
-+std::string GetOSVersion() {
-+  int32_t major_version, minor_version, bugfix_version;
-+  base::SysInfo::OperatingSystemVersionNumbers(&major_version, &minor_version,
-+                                               &bugfix_version);
-+  base::CheckedNumeric<int32_t> os_version(major_version);
-+  os_version *= 100;
-+  os_version += minor_version;
-+
-+  int32_t final_os_version = os_version.ValueOrDie();
-+  return std::to_string(final_os_version);
-+}
-+
- }  // namespace
- 
- // Static variable declarations.
-@@ -242,6 +257,9 @@
-   if (!compiler.InsertBooleanParam(kSandboxMacOS1013, macos_1013))
-     return false;
- 
-+  if (!compiler.InsertStringParam(kSandboxOSVersion, GetOSVersion()))
-+    return false;
-+
-   if (sandbox_type == service_manager::SANDBOX_TYPE_CDM) {
-     base::FilePath bundle_path = SandboxMac::GetCanonicalPath(
-         base::mac::FrameworkBundlePath().DirName());