fix(linux): Don't setuid chrome-sandbox when not required (#8368)

This is not necessary in many environments, so we now test for whether this is required and then enable it only when necessary.

Author: pimterry

.changeset/purple-terms-sing.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: don't setuid chrome-sandbox when not required

packages/app-builder-lib/templates/linux/after-install.tpl

@@ -10,8 +10,13 @@ else
     ln -sf '/opt/${sanitizedProductName}/${executable}' '/usr/bin/${executable}'
 fi
 
-# SUID chrome-sandbox for Electron 5+
-chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+# Check if user namespaces are supported by the kernel and working with a quick test:
+if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
+    # Use SUID chrome-sandbox only on systems without user namespaces:
+    chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+else
+    chmod 0755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+fi
 
 if hash update-mime-database 2>/dev/null; then
     update-mime-database /usr/share/mime || true

test/snapshots/linux/debTest.js.snap

@@ -530,8 +530,13 @@ else
     ln -sf '/opt/foo/Boo' '/usr/bin/Boo'
 fi
 
-# SUID chrome-sandbox for Electron 5+
-chmod 4755 '/opt/foo/chrome-sandbox' || true
+# Check if user namespaces are supported by the kernel and working with a quick test:
+if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
+    # Use SUID chrome-sandbox only on systems without user namespaces:
+    chmod 4755 '/opt/foo/chrome-sandbox' || true
+else
+    chmod 0755 '/opt/foo/chrome-sandbox' || true
+fi
 
 if hash update-mime-database 2>/dev/null; then
     update-mime-database /usr/share/mime || true