feat: releases can specify chrome-sandbox files

entity/release.go

@@ -20,6 +20,7 @@ type ExecuteSpec struct {
 }
 
 type Release struct {
+	ChromeSandbox string            `yaml:"chrome-sandbox"`
 	Cleanup       bool              `yaml:"cleanup,omitempty"`
 	DontLink      bool              `yaml:"dont_link,omitempty"`
 	DontUpdate    bool              `yaml:"dont_update,omitempty"`

internal/dir.go

@@ -7,10 +7,17 @@ import (
 
 func EnsureFileAbsent(file string) error {
 	_, err := os.Stat(file)
-	if err == nil {
-		return os.Remove(file)
-	} else if !os.IsNotExist(err) {
-		return err
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		} else {
+			return err
+		}
+	}
+
+	err = os.Remove(file)
+	if os.IsPermission(err) {
+		return MaybeRunWithSudo(fmt.Sprintf("rm %s", file))
 	}
 
 	return nil
@@ -52,5 +59,5 @@ func EnsureDirExists(dir string) error {
 		return err
 	}
 
-	return chown(dir, rootUser, rootUser)
+	return Chown(dir, rootUser, rootUser)
 }

internal/filecontent.go

@@ -62,7 +62,7 @@ func checksum(f string) (string, error) {
 	return hex.EncodeToString(sum), nil
 }
 
-func chown(file, user, group string) error {
+func Chown(file, user, group string) error {
 	isHomePath := IsHomePath(file)
 	if user == "" && group == "" {
 		if isHomePath {
@@ -98,7 +98,7 @@ func chown(file, user, group string) error {
 	return MaybeRunWithSudo(chownCmd)
 }
 
-func chmod(target string, mode int) error {
+func Chmod(target string, mode int) error {
 	octal := strconv.FormatInt(int64(mode), 8)
 	chmodCmd := fmt.Sprintf("chmod %s %s", octal, target)
 	return MaybeRunWithSudoForPath(chmodCmd, target)
@@ -295,7 +295,7 @@ func WriteContent(file ManagedFile) (bool, error) {
 	}
 
 	if currentMode != mode || !dstExists {
-		err = chmod(target, mode)
+		err = Chmod(target, mode)
 		if err != nil {
 			return changed, err
 		}
@@ -307,7 +307,7 @@ func WriteContent(file ManagedFile) (bool, error) {
 		return changed, err
 	}
 
-	err = chown(target, file.User, file.Group)
+	err = Chown(target, file.User, file.Group)
 	if err != nil {
 		return false, err
 	}

internal/run.go

@@ -82,10 +82,10 @@ func Move(src, dst string, setOwner bool) error {
 		return nil
 	}
 
-	err = chown(dst, rootUser, rootUser)
+	err = Chown(dst, rootUser, rootUser)
 	if err != nil {
 		return err
 	}
 
-	return chmod(dst, defaultFileMode)
+	return Chmod(dst, defaultFileMode)
 }

provision/release.go

@@ -37,6 +37,8 @@ const (
 	executableMimeType = "application/x-executable"
 	githubReleaseRegex = "https://github.com/[a-zA-Z_-]+/[a-zA-Z_-]+/releases/download/[v0-9.]+/[a-zA-Z0-9_.-]+"
 	gzipMimeType       = "application/gzip"
+	rootUser           = "root"
+	setuidExecutable   = 0o4755
 	sharedLibMimeType  = "application/x-sharedlib"
 	tarMimeType        = "application/x-tar"
 	xzMimeType         = "application/x-xz"
@@ -138,6 +140,15 @@ func processDownload(release entity.Release, s settings.Settings) (info ReleaseI
 		}
 	}
 
+	var chromeSandbox string
+	if release.ChromeSandbox != "" {
+		chromeSandbox = path.Join(absTarget, release.ChromeSandbox)
+		err = internal.EnsureFileAbsent(chromeSandbox)
+		if err != nil {
+			return info, fmt.Errorf("error removing chrome-sandbox file %s: %v", chromeSandbox, err)
+		}
+	}
+
 	extractFn, err := getExtractionFn(fileType.String())
 	if err != nil {
 		return
@@ -147,6 +158,18 @@ func processDownload(release entity.Release, s settings.Settings) (info ReleaseI
 		return
 	}
 
+	if chromeSandbox != "" {
+		err = internal.Chown(chromeSandbox, rootUser, rootUser)
+		if err != nil {
+			return info, err
+		}
+
+		err = internal.Chmod(chromeSandbox, setuidExecutable)
+		if err != nil {
+			return info, err
+		}
+	}
+
 	err = os.Remove(tempFile)
 	if err != nil {
 		return