search

kewde / electron-sandbox-boilerplate

A simple example for a (more reasonably) secure electron application, by enabling the sandbox and forcing communication over IPC.
MIT License
73 stars 14 forks source link

--enable-sandbox required? #3

Closed kewde closed 6 years ago

kewde commented 6 years ago

I was going through the electron issues that involve the sandbox, in an attempt to learn to more about how to properly deploy it. I came across an interesting discussion about the usage of the sandbox & webviews. https://github.com/electron/electron/issues/9611

@bpasero made the following remark:

I find it very confusing that you need to run electron --enable-sandbox to enable true sandboxing but if you forget to pass this argument you can still create windows with sandbox: true and the behaviour is almost the same (though probably fundamentally different in terms of security).

This got me thinking however, is the --enable-sandbox command line argument required even when you call the BrowserWindow like this?

 win = new BrowserWindow({
    webPreferences: {
    ....
    sandbox: true,
    .....
  }
});

If it it is the case, then I'd be interested in finding out if we have to pass specific arguments to electron-builder to have electron run with the sandbox enabled in packaged applications.

Maybe @tarruda can shine some light on this?

kewde commented 6 years ago

https://github.com/electron/electron/blob/master/docs/api/sandbox-option.md

However, in order to enable the Chromium OS sandbox, electron must be run with the --enable-sandbox command line argument.

For applications that require more security, the sandbox flag will force electron to spawn a classic chromium renderer that is compatible with the sandbox.

The word compatible gives me an eery feeling.

I will add some additional documentation to this repository that will underline the importance of --enable-sandbox, and that "sandbox: true" does not suffice on its own.

Another thing to figure out is how to package the application with the sandbox enabled (libs like electron-builder, electron-forge & electron-package).

kewde commented 6 years ago

@carlosperate this might be of interest to you. I've added the --enable-sandbox flag as a must for the moment but it's still not very clear..

kewde commented 6 years ago

A bit more research into this issue turned this up:

electron --enable-sandbox main.js

user@host:~/projects/electron-sandbox$ ps aux | grep "electron"
user     24157  1.0  0.7 611760 23944 pts/0    Sl+  21:43   0:00 node /home/user/.nvm/versions/node/v6.11.5/bin/electron --enable-sandbox main.js
user     24163  5.2  2.9 1139608 91316 pts/0   Sl+  21:43   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --enable-sandbox main.js
user     24166  0.2  0.9 323776 29584 pts/0    S+   21:43   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote
user     24168  0.0  0.2 323776  8544 pts/0    S+   21:43   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote
user     24200  1.4  2.1 701380 65928 pts/0    Sl+  21:43   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=renderer --primordial-pipe-token=675D8E4A0814441B121B11D8B93DCF50 --lang=en-US --enable-sandbox --app-path=/home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/resources/default_app.asar --node-integration=false --webview-tag=false --enable-sandbox --preload=/home/user/projects/electron-sandbox/preload-simple.js --context-isolation --enable-pinch --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --service-request-channel-token=675D8E4A0814441B121B11D8B93DCF50 --renderer-client-id=4 --shared-files=v8_natives_data:100,v8_snapshot_data:101
user     24212  0.0  0.0  12728  2216 pts/1    S+   21:43   0:00 grep electron

So this is where it gets interesting.. electron main.js

user@host:~/projects/electron-sandbox$ ps aux | grep "electron"
user     23861  0.1  0.7 611760 24076 pts/0    Sl+  21:41   0:00 node /home/user/.nvm/versions/node/v6.11.5/bin/electron main.js
user     23867  0.4  2.8 1139608 90340 pts/0   Sl+  21:41   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron main.js
user     23869  0.0  0.9 323776 28772 pts/0    S+   21:41   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=zygote --no-sandbox
user     23900  0.1  2.0 964548 64772 pts/0    Sl+  21:41   0:00 /home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/electron --type=renderer --no-sandbox --primordial-pipe-token=C5B3996EEBA73B8B7BD3E0B824ABE86A --lang=en-US --app-path=/home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/resources/default_app.asar --node-integration=false --webview-tag=false --enable-sandbox --preload=/home/user/projects/electron-sandbox/preload-simple.js --context-isolation --enable-pinch --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --service-request-channel-token=C5B3996EEBA73B8B7BD3E0B824ABE86A --renderer-client-id=4 --shared-files=v8_natives_data:100,v8_snapshot_data:101
user     24012  0.0  0.0  12728  2188 pts/1    S+   21:42   0:00 grep electron

--no-sandbox --primordial-pipe-token=C5B3996EEBA73B8B7BD3E0B824ABE86A --lang=en-US --app-path=/home/user/.nvm/versions/node/v6.11.5/lib/node_modules/electron/dist/resources/defaultapp.asar --node-integration=false --webview-tag=false_ --enable-sandbox

Seemingly conflicting parameters. Also an additional browser/zygote process has been spawned for the OS-enforced sandboxed version.

kewde commented 6 years ago

In case anyone is looking for a direct solution:

If you run this as a NodeJS application, which basically means: DO NOT run this code in electron as such: electron thisCode.js but through node:

nodejs thisCode.js

const electron = require('electron')
const proc = require('child_process')

// will print something similar to /Users/maf/.../Electron
console.log(electron)
// ONLY DISPLAYS PATH WHEN RAN IN NODE ENV, NOT IN ELECTRON ENV

// spawn Electron
const child = proc.spawn(electron , ["--enable-sandbox", "main.js"])
kewde commented 6 years ago

I've updated sandbox-preloader-extended to include this small patch for the moment.