Merge pull request #1528 from Bilb/fix-suid-issue

Fix suid issue

.prettierignore

@@ -56,3 +56,4 @@ stylesheets/_intlTelInput.scss
 coverage/**
 .nyc_output/**
 session-file-server/**
+release/**

build/afterPackHook.js

@@ -0,0 +1,43 @@
+const path = require('path');
+const fs = require('fs');
+const util = require('util');
+
+const renameAsync = util.promisify(fs.rename);
+const unlinkAsync = util.promisify(fs.unlink);
+
+module.exports = async function(context) {
+  // Replace the app launcher on linux only.
+  if (process.platform !== 'linux') {
+    return;
+  }
+  const isAppImage = context.targets.find(target => target.name === 'appImage');
+  if (!isAppImage) {
+    return;
+  }
+  // eslint-disable-next-line no-console
+  console.log('afterPack hook triggered', context);
+
+  const executableName = context.packager.executableName;
+  const sourceExecutable = path.join(context.appOutDir, executableName);
+  const targetExecutable = path.join(
+    context.appOutDir,
+    `${executableName}-bin`
+  );
+  const launcherScript = path.join(
+    context.appOutDir,
+    'resources',
+    'launcher-script.sh'
+  );
+  const chromeSandbox = path.join(context.appOutDir, 'chrome-sandbox');
+
+  return Promise.all([
+    // rename session-desktop to session-desktop-bin
+    renameAsync(sourceExecutable, targetExecutable),
+
+    // rename launcher script to session-desktop
+    renameAsync(launcherScript, sourceExecutable),
+
+    // remove the chrome-sandbox file since we explicitly disable it
+    unlinkAsync(chromeSandbox),
+  ]);
+};

build/launcher-script.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -e
+
+# Some distributions do not have unprivileged_userns_clone disabled.
+# If that's the case, and we run an AppImage (deb is not impacted by this),
+# the app won't start unless we start it with --no-sandbox.
+# This bash script is the launcher script for AppImage only, and will at runtime check
+# if we need to add the --no-sandbox before running the AppImage itself.
+
+UNPRIVILEGED_USERNS_ENABLED=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+exec "$SCRIPT_DIR/session-desktop-bin" "$([[ $UNPRIVILEGED_USERNS_ENABLED == 0 ]] && echo '--no-sandbox')" "$@"

main.js

@@ -256,6 +256,7 @@ function isVisible(window, bounds) {
 async function createWindow() {
   const { screen } = electron;
   const { minWidth, minHeight, width, height } = getWindowSize();
+
   const windowOptions = Object.assign(
     {
       show: !startInTray, // allow to start minimised in tray

package.json

@@ -35,7 +35,6 @@
     "test-electron": "yarn grunt test",
     "test-integration": "ELECTRON_DISABLE_SANDBOX=1 mocha --exit --full-trace --timeout 10000 ts/test/session/integration/integration_itest.js",
     "test-node": "mocha --recursive --exit --timeout 10000  test/app test/modules \"./ts/test/**/*_test.js\" libloki/test/node ",
-    "test-audric": "mocha --recursive --exit --timeout 10000 ts/test/session/unit/",
     "eslint": "eslint --cache .",
     "eslint-fix": "eslint --fix .",
     "eslint-full": "eslint .",
@@ -223,6 +222,10 @@
     "appId": "com.loki-project.messenger-desktop",
     "afterSign": "build/notarize.js",
     "artifactName": "${name}-${os}-${arch}-${version}.${ext}",
+    "extraResources": {
+      "from": "./build/launcher-script.sh",
+      "to": "./launcher-script.sh"
+    },
     "mac": {
       "category": "public.app-category.social-networking",
       "icon": "build/icons/mac/icon.icns",
@@ -333,7 +336,8 @@
       "!node_modules/@journeyapps/sqlcipher/lib/binding/node-*",
       "!build/*.js",
       "!dev-app-update.yml"
-    ]
+    ],
+    "afterPack": "./build/afterPackHook.js"
   },
   "husky": {
     "hooks": {
@@ -345,4 +349,4 @@
     "*/**/*.{css,js,json,scss,ts,tsx}": "prettier --write",
     "*.js": "eslint --cache --fix"
   }
-}
+}