Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
Alchemy Viewer
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Locked files
Deploy
Releases
Package Registry
Operate
Terraform modules
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Silent mode is enabled
All outbound communications are blocked.
Learn more
.
Show more breadcrumbs
Alchemy Viewer
Alchemy Viewer
Commits
1c0171e3
Commit
1c0171e3
authored
2 years ago
by
Rye Mutt
Browse files
Options
Downloads
Plain Diff
Merge remote-tracking branch 'origin/darl/fix/chrome-sandbox-ux-improvements'
parents
72d475b5
b728f3d4
No related branches found
Branches containing commit
No related tags found
Tags containing commit
1 merge request
!101
Linux: Improve UX for Chromium sandboxing onboarding and for users who opt out
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
indra/newview/linux_tools/install.sh
+26
-2
26 additions, 2 deletions
indra/newview/linux_tools/install.sh
indra/newview/linux_tools/wrapper.sh
+6
-3
6 additions, 3 deletions
indra/newview/linux_tools/wrapper.sh
with
32 additions
and
5 deletions
indra/newview/linux_tools/install.sh
+
26
−
2
View file @
1c0171e3
...
@@ -93,11 +93,35 @@ function install_to_prefix()
...
@@ -93,11 +93,35 @@ function install_to_prefix()
if
[
"
$UID
"
==
"0"
]
;
then
if
[
"
$UID
"
==
"0"
]
;
then
"
$1
/etc/chrome_sandboxing_permissions_setup.sh"
"
$1
/etc/chrome_sandboxing_permissions_setup.sh"
else
else
echo
"Permissions on
$SANDBOX_BIN
need to be set to enable security sandboxing for the integrated browser. You may be asked to authorize this step with administrative credentials."
echo
" ╭──────────────────────────────────────────╮"
prompt
"This step is optional, though recommended for safety and security. Proceed with the installation? [Y/N]: "
echo
"╭────────────────┘ Web Media Process Sandboxing Setup └──────────────────╮"
echo
"│ │"
echo
"│ Embedded Chromium sandboxing is a highly recommended security feature! │"
echo
"│ │"
echo
"│Sandboxing helps prevents malicious code from running in the browser process, │"
echo
"│which could otherwise be used to compromise the viewer or your system. │"
echo
"│ │"
echo
"│For more information please see the following resources: │"
echo
"│https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md │"
echo
"│https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sandboxing.md│"
echo
"│ │"
echo
"│Permissions on the following viewer file must be set to enable sandboxing. │"
echo
"│ bin/llplugin/chrome-sandbox │"
echo
"│ │"
echo
"│You may be asked provide credentials to authorize this setup. │"
echo
"╰──────────────────────────────────────────────────────────────────────────────╯"
echo
"Saying no will not enable sandboxing, which endangers your system security."
echo
"Saying yes will run a chown and chmod command to enable sandboxing."
echo
""
warn
"By refusing this step, you accept this risk."
prompt
"Proceed with enabling web media process sandboxing? [Y/N]: "
if
[[
$?
==
0
]]
;
then
if
[[
$?
==
0
]]
;
then
# Save this choice so that we don't ask for creds on every viewer launch
touch
"
$1
/bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks"
exit
0
exit
0
fi
fi
# Remove any previous opt-out file since we're opting in now
rm
"
$1
/bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks"
2> /dev/null
pkexec
"
$1
/etc/chrome_sandboxing_permissions_setup.sh"
||
die
"Failed to set permissions on chrome-sandbox"
pkexec
"
$1
/etc/chrome_sandboxing_permissions_setup.sh"
||
die
"Failed to set permissions on chrome-sandbox"
fi
fi
}
}
...
...
This diff is collapsed.
Click to expand it.
indra/newview/linux_tools/wrapper.sh
+
6
−
3
View file @
1c0171e3
...
@@ -107,10 +107,13 @@ done
...
@@ -107,10 +107,13 @@ done
# Check chrome-sandbox permissions, and try to set them if they are not already
# Check chrome-sandbox permissions, and try to set them if they are not already
SANDBOX_BIN
=
bin/llplugin/chrome-sandbox
SANDBOX_BIN
=
bin/llplugin/chrome-sandbox
# if set-user-id = false || is writable || executable = false || read is false || is owned by effective uid || is owned by effective gid
# if set-user-id = false || is writable || executable = false || read is false || is owned by effective uid || is owned by effective gid
OPTOUT_FILE
=
"bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks"
if
[[
!(
-u
$SANDBOX_BIN
)
||
(
-w
$SANDBOX_BIN
)
||
!(
-x
$SANDBOX_BIN
)
||
!(
-r
$SANDBOX_BIN
)
||
(
-O
$SANDBOX_BIN
)
||
(
-G
$SANDBOX_BIN
)
]]
;
then
if
[[
!(
-u
$SANDBOX_BIN
)
||
(
-w
$SANDBOX_BIN
)
||
!(
-x
$SANDBOX_BIN
)
||
!(
-r
$SANDBOX_BIN
)
||
(
-O
$SANDBOX_BIN
)
||
(
-G
$SANDBOX_BIN
)
]]
;
then
echo
"
$SANDBOX_BIN
permissions are incorrect and will be reset"
echo
"
$SANDBOX_BIN
permissions are not set properly to run under sandboxing."
SCRIPT_DIR
=
"
$(
cd
"
$(
dirname
"
${
BASH_SOURCE
[0]
}
"
)
"
&> /dev/null
&&
pwd
)
"
if
[
!
-f
"
$OPTOUT_FILE
"
]
;
then
pkexec
"
$SCRIPT_DIR
/etc/chrome_sandboxing_permissions_setup.sh"
SCRIPT_DIR
=
"
$(
cd
"
$(
dirname
"
${
BASH_SOURCE
[0]
}
"
)
"
&> /dev/null
&&
pwd
)
"
pkexec
"
$SCRIPT_DIR
/etc/chrome_sandboxing_permissions_setup.sh"
fi
fi
fi
#setup wine voice
#setup wine voice
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
