-
Notifications
You must be signed in to change notification settings - Fork 102
/
Copy pathindex.ts
69 lines (54 loc) · 2.57 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import path from "path";
import fs, {Stats} from "fs";
import {Packager, Platform} from "app-builder-lib";
import {promisify} from "util";
import {LOG, LOG_LEVELS, execShell} from "scripts/lib";
import {PACKAGE_NAME} from "src/shared/constants";
const unixEOL = "\n";
// TODO use typed array on https://github.com/electron-userland/electron-builder/issues/3877 resolving
const disableSuidSandboxTargetNames: ReadonlySet<string> = new Set(["appimage", "snap"]);
// first bit of 12, same as 0b100000000000 binary or 2048 decimal
const suidBit = 0x800;
const hasSuidBit: (stat: Stats) => boolean = ({mode}) => {
return Boolean(mode & suidBit); // tslint:disable-line:no-bitwise
};
const afterPack: Packager["afterPack"] = async ({targets, appOutDir, electronPlatformName}) => {
if (electronPlatformName !== Platform.LINUX.name) {
return;
}
const disableSuidSandbox = targets.some(({name}) => disableSuidSandboxTargetNames.has(name.toLowerCase()));
if (!disableSuidSandbox) {
const chromeSandboxBinaryFilePath = path.join(appOutDir, "chrome-sandbox");
await execShell(["chmod", ["4755", chromeSandboxBinaryFilePath]]);
return;
}
const appBinaryFileName = PACKAGE_NAME;
const appBinaryFilePath = path.join(appOutDir, appBinaryFileName);
const appBinaryStat = await promisify(fs.stat)(appBinaryFilePath);
if (!appBinaryStat.isFile()) {
throw new Error(`"${appBinaryFilePath}" is not a file`);
}
if (hasSuidBit(appBinaryStat)) {
throw new Error(
`"${appBinaryFilePath}" should not have SUID bit set for "${JSON.stringify(disableSuidSandboxTargetNames)}" targets`,
);
}
const renamedAppBinaryFileName = `${appBinaryFileName}.bin`;
const renamedAppBinaryFilePath = path.join(path.dirname(appBinaryFilePath), renamedAppBinaryFileName);
const appBinaryPreloadFileContent = [
// WARN: shebang must be the first line
`#!/bin/sh`,
// "--disable-setuid-sandbox" prevents falling back to SUID sandbox
`\${0%/*}/${renamedAppBinaryFileName} --no-sandbox --disable-setuid-sandbox $@`,
// empty line at the end
``,
].join(unixEOL);
await execShell(["mv", [appBinaryFilePath, renamedAppBinaryFilePath]]);
LOG(
LOG_LEVELS.title(`Writing ${LOG_LEVELS.value(appBinaryFilePath)} file with content:${unixEOL}`),
LOG_LEVELS.value(appBinaryPreloadFileContent),
);
await promisify(fs.writeFile)(appBinaryFilePath, appBinaryPreloadFileContent);
await execShell(["chmod", ["+x", appBinaryFilePath]]);
};
export default afterPack;