diff options
| -rwxr-xr-x | dist-assets/linux/mullvad-gui-launcher.sh | 9 | ||||
| -rw-r--r-- | gui/src/main/index.ts | 13 |
2 files changed, 16 insertions, 6 deletions
diff --git a/dist-assets/linux/mullvad-gui-launcher.sh b/dist-assets/linux/mullvad-gui-launcher.sh index cf75c4e916..32be5868ca 100755 --- a/dist-assets/linux/mullvad-gui-launcher.sh +++ b/dist-assets/linux/mullvad-gui-launcher.sh @@ -1,5 +1,12 @@ #!/usr/bin/env bash set -eu +UNPRIVILEGED_USERNS_PATH="/proc/sys/kernel/unprivileged_userns_clone" +if [ -e $UNPRIVILEGED_USERNS_PATH ] && grep -q 0 $UNPRIVILEGED_USERNS_PATH; then + SANDBOX_FLAG="--no-sandbox" +else + SANDBOX_FLAG="" +fi + SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -exec "$SCRIPT_DIR/mullvad-gui" --no-sandbox "$@" +exec "$SCRIPT_DIR/mullvad-gui" $SANDBOX_FLAG "$@" diff --git a/gui/src/main/index.ts b/gui/src/main/index.ts index f3ac7e72c0..2fe32a0d16 100644 --- a/gui/src/main/index.ts +++ b/gui/src/main/index.ts @@ -85,6 +85,8 @@ const AUTO_CONNECT_FALLBACK_DELAY = 6000; /// Mirrors the beta check regex in the daemon. Matches only well formed beta versions const IS_BETA = /^(\d{4})\.(\d+)-beta(\d+)$/; +const SANDBOX_DISABLED = app.commandLine.hasSwitch('no-sandbox'); + enum AppQuitStage { unready, initiated, @@ -209,10 +211,6 @@ class ApplicationMain { app.commandLine.appendSwitch('wm-window-animations-disabled'); } - if (process.platform !== 'linux') { - app.enableSandbox(); - } - this.overrideAppPaths(); if (this.ensureSingleInstance()) { @@ -221,6 +219,11 @@ class ApplicationMain { this.initLogging(); + log.debug(`Chromium sandbox disabled: ${SANDBOX_DISABLED}`); + if (!SANDBOX_DISABLED) { + app.enableSandbox(); + } + log.info(`Running version ${app.getVersion()}`); if (process.platform === 'win32') { @@ -1453,7 +1456,7 @@ class ApplicationMain { nodeIntegrationInWorker: false, nodeIntegrationInSubFrames: false, enableRemoteModule: false, - sandbox: process.platform !== 'linux', + sandbox: !SANDBOX_DISABLED, contextIsolation: true, spellcheck: false, devTools: process.env.NODE_ENV === 'development', |