From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Mon, 26 Aug 2019 12:02:51 -0700
Subject: allow new privileges in unsandboxed child processes

This allows unsandboxed child process to launch setuid processes on Linux.

diff --git a/content/browser/child_process_launcher_helper_linux.cc b/content/browser/child_process_launcher_helper_linux.cc
index 31ccdd899b06f91ab73ab27380ad0712b23fd563..b8147fce70f90191f9d4a794f69f32b23eac0e08 100644
--- a/content/browser/child_process_launcher_helper_linux.cc
+++ b/content/browser/child_process_launcher_helper_linux.cc
@@ -62,6 +62,15 @@ bool ChildProcessLauncherHelper::BeforeLaunchOnLauncherThread(
       options->fds_to_remap.emplace_back(sandbox_fd, GetSandboxFD());
     }
 
+    // (For Electron), if we're launching without zygote, that means we're
+    // launching an unsandboxed process (since all sandboxed processes are
+    // forked from the zygote). Relax the allow_new_privs option to permit
+    // launching suid processes from unsandboxed child processes.
+    if (!base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kNoZygote) &&
+        delegate_->GetZygote() == nullptr) {
+      options->allow_new_privs = true;
+    }
+
     options->environment = delegate_->GetEnvironment();
   } else {
     DCHECK(GetZygoteForLaunch());