[BEEEP | PM-25358] Add process isolation on windows and mac desktop main process (#16156)

* Prevent memory dumping and debugger on windows and mac main process * Fix clippy * Only isolate process when isdev is false * Clean up * Add backticks around link
2026-01-09 20:13:42 +00:00 · 2025-09-04 21:40:25 +02:00
parent ca9b531571
commit ea1c3252e8
10 changed files with 101 additions and 27 deletions
--- a/apps/desktop/src/main/window.main.ts
+++ b/apps/desktop/src/main/window.main.ts
@@ -36,7 +36,7 @@ export class WindowMain {
  private windowStateChangeTimer: NodeJS.Timeout;
  private windowStates: { [key: string]: WindowState } = {};
  private enableAlwaysOnTop = false;
-  private enableRendererProcessForceCrashReload = false;
+  private enableRendererProcessForceCrashReload = true;
  session: Electron.Session;

  readonly defaultWidth = 950;
@@ -149,28 +149,31 @@ export class WindowMain {
        // initialization and is ready to create browser windows.
        // Some APIs can only be used after this event occurs.
        app.on("ready", async () => {
-          if (isMac() || isWindows()) {
-            this.enableRendererProcessForceCrashReload = true;
-          } else if (isLinux() && !isDev()) {
-            if (await processisolations.isCoreDumpingDisabled()) {
-              this.logService.info("Coredumps are disabled in renderer process");
-              this.enableRendererProcessForceCrashReload = true;
-            } else {
-              this.logService.info("Disabling coredumps in main process");
+          if (!isDev()) {
+            // This currently breaks the file portal for snap https://github.com/flatpak/xdg-desktop-portal/issues/785
+            if (!isSnapStore()) {
+              this.logService.info(
+                "[Process Isolation] Isolating process from debuggers and memory dumps",
+              );
              try {
-                await processisolations.disableCoredumps();
+                await processisolations.isolateProcess();
              } catch (e) {
-                this.logService.error("Failed to disable coredumps", e);
+                this.logService.error("[Process Isolation] Failed to isolate main process", e);
              }
            }

-            // this currently breaks the file portal for snap https://github.com/flatpak/xdg-desktop-portal/issues/785
-            if (!isSnapStore()) {
-              this.logService.info("Disabling memory dumps in main process");
-              try {
-                await processisolations.disableMemoryAccess();
-              } catch (e) {
-                this.logService.error("Failed to disable memory dumps", e);
+            if (isLinux()) {
+              if (await processisolations.isCoreDumpingDisabled()) {
+                this.logService.info("Coredumps are disabled in renderer process");
+              } else {
+                this.enableRendererProcessForceCrashReload = false;
+                this.logService.info("Disabling coredumps in main process");
+                try {
+                  await processisolations.disableCoredumps();
+                  this.enableRendererProcessForceCrashReload = true;
+                } catch (e) {
+                  this.logService.error("Failed to disable coredumps", e);
+                }
              }
            }
          }