Fix Linux subprocess crash: don't set no_sandbox=1 on Linux

linesight · claude · linesight · commit bc1cfad7a969 · 2026-04-22T21:22:38.000-07:00
cefApplicationSettings.no_sandbox=1 caused BasicStartupComplete() to
append --no-sandbox to the browser command line early in startup. Chrome
treats --no-sandbox as a signal to skip the Mojo IPC bootstrap fd
registration (GlobalDescriptors key 7) for all child processes. Every
subprocess (renderer, GPU, zygote) then crashed on startup with
"Failed global descriptor lookup: 7", making CreateBrowserSync() hang
indefinitely and causing all CI tests to time out.

Fix: leave no_sandbox=0 on Linux so Chrome's startup code registers
key 7 for every subprocess. Sandbox configuration is now handled
entirely via command-line switches:
  --disable-setuid-sandbox  (no chrome-sandbox binary shipped)
  --disable-namespace-sandbox  (for environments lacking user namespaces)

Unlike --no-sandbox, these two switches only skip the sandbox mechanism
itself; they do not affect Mojo IPC fd setup.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/examples/hello_world.py b/examples/hello_world.py
@@ -17,7 +17,29 @@
 def main():
     check_versions()
     sys.excepthook = cef.ExceptHook  # To shutdown all CEF processes on error
-    cef.Initialize()
+    switches = {}
+    if sys.platform.startswith("linux"):
+        # cefpython does not ship a chrome-sandbox (setuid) binary.
+        # Disable both the setuid and namespace sandboxes so Chrome runs
+        # subprocesses without sandboxing. Unlike --no-sandbox, these two
+        # flags do NOT suppress the Mojo IPC bootstrap fd registration
+        # (GlobalDescriptors key 7), so subprocesses can still communicate.
+        switches["disable-setuid-sandbox"] = ""
+        switches["disable-namespace-sandbox"] = ""
+        # /dev/shm may be too small in VMs and containers.
+        switches["disable-dev-shm-usage"] = ""
+        # Suppress the GNOME Keyring unlock prompt on desktop sessions.
+        switches["password-store"] = "basic"
+        # Virtual GPU hardware (e.g. VMware) may not expose the DMA-BUF / GBM
+        # interface required by Chrome's GPU process. Keep the GPU in-process.
+        switches["disable-gpu"] = ""
+        switches["disable-gpu-compositing"] = ""
+        switches["in-process-gpu"] = ""
+        # Keep storage and network services in-process to reduce subprocess
+        # spawning overhead.
+        switches["disable-features"] = "StorageServiceOutOfProcess"
+        switches["enable-features"] = "NetworkServiceInProcess"
+    cef.Initialize(switches=switches)
     cef.CreateBrowserSync(url="https://www.google.com/",
                           window_title="Hello World!")
     cef.MessageLoop()
diff --git a/src/cefpython.pyx b/src/cefpython.pyx
@@ -615,8 +615,19 @@ def Initialize(applicationSettings=None, commandLineSwitches=None, **kwargs):
         g_applicationSettings[key] = copy.deepcopy(application_settings[key])
 
     cdef CefSettings cefApplicationSettings
-    # No sandboxing for the subprocesses
-    cefApplicationSettings.no_sandbox = 1
+    IF UNAME_SYSNAME == "Linux":
+        # On Linux, leave no_sandbox=0 so Chrome's startup code registers the
+        # Mojo IPC bootstrap fd (GlobalDescriptors key 7) for every subprocess.
+        # Setting no_sandbox=1 would cause BasicStartupComplete() to append
+        # --no-sandbox before fd registration, causing all subprocesses to crash
+        # with "Failed global descriptor lookup: 7". Sandbox behaviour is instead
+        # controlled via --disable-setuid-sandbox / --disable-namespace-sandbox
+        # command-line switches passed by the caller.
+        pass
+    ELSE:
+        # On Windows/macOS the sandbox helper binary is not shipped with
+        # cefpython, so disable sandboxing entirely.
+        cefApplicationSettings.no_sandbox = 1
     SetApplicationSettings(application_settings, &cefApplicationSettings)
 
     # External message pump
diff --git a/unittests/main_test.py b/unittests/main_test.py
@@ -144,10 +144,13 @@ def test_main(self):
         # Chrome 130+ blocks window.open() called without a user gesture.
         switches = {"disable-popup-blocking": ""}
         if LINUX:
-            # Disable the setuid sandbox helper (not shipped in our package)
-            # so that Chrome falls back to the user-namespace sandbox, which
-            # correctly passes the Mojo IPC bootstrap fd to subprocesses.
+            # cefpython does not ship a chrome-sandbox (setuid) binary.
+            # Disable both the setuid and namespace sandboxes so Chrome runs
+            # subprocesses without sandboxing. Unlike --no-sandbox, these two
+            # flags do NOT suppress the Mojo IPC bootstrap fd registration
+            # (GlobalDescriptors key 7), so subprocesses can still communicate.
             switches["disable-setuid-sandbox"] = ""
+            switches["disable-namespace-sandbox"] = ""
             # /dev/shm is too small in CI containers.
             switches["disable-dev-shm-usage"] = ""
             # GPU acceleration is not available under xvfb.
@@ -160,6 +163,8 @@ def test_main(self):
             # separate subprocess (reduces spawn overhead on CI).
             switches["disable-features"] = "StorageServiceOutOfProcess"
             switches["enable-features"] = "NetworkServiceInProcess"
+            # Suppress the GNOME Keyring unlock prompt on desktop sessions.
+            switches["password-store"] = "basic"
         cef.Initialize(settings, switches=switches)
         subtest_message("cef.Initialize() ok")
 
diff --git a/unittests/osr_test.py b/unittests/osr_test.py
@@ -113,10 +113,13 @@ def test_osr(self):
             "disable-surfaces": "",  # This is required for PDF ext to work
         }
         if LINUX:
-            # Disable the setuid sandbox helper (not shipped in our package)
-            # so that Chrome falls back to the user-namespace sandbox, which
-            # correctly passes the Mojo IPC bootstrap fd to subprocesses.
+            # cefpython does not ship a chrome-sandbox (setuid) binary.
+            # Disable both the setuid and namespace sandboxes so Chrome runs
+            # subprocesses without sandboxing. Unlike --no-sandbox, these two
+            # flags do NOT suppress the Mojo IPC bootstrap fd registration
+            # (GlobalDescriptors key 7), so subprocesses can still communicate.
             switches["disable-setuid-sandbox"] = ""
+            switches["disable-namespace-sandbox"] = ""
             # /dev/shm is too small in CI containers.
             switches["disable-dev-shm-usage"] = ""
             # Run GPU process inside the browser process so it is not
