Linux sandbox: Allow seccomp sandbox to be stacked on top of the SUID sandbox

Since this mostly worked before, this is just a matter of reordering
some "if" clauses.

Before this change, --enable-seccomp-sandbox would have the side
effect of disabling the SUID sandbox.  The zygote would get run
through the SUID helper, but the zygote would never send the message
to turn the SUID sandbox on.

Change this so that --enable-seccomp-sandbox does not disable the SUID
sandbox.

BUG=55599
TEST=Tested manually with:
  cd native_client && ./tools/httpd.py &
  CHROME_DEVEL_SANDBOX=/opt/google/chrome/chrome-sandbox ./out/Debug/chrome-wrapper --enable-nacl --enable-seccomp-sandbox http://localhost:5103/tests/prebuilt/srpc_hw.html

Review URL: http://codereview.chromium.org/3449001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59630 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 6 insertions, 4 deletions

diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc
index 3e3265a..5c0061b 100644
--- a/chrome/browser/zygote_main_linux.cc
+++ b/chrome/browser/zygote_main_linux.cc
@@ -560,10 +560,9 @@ static bool EnterSandbox() {
   // chrooted.
   const char* const sandbox_fd_string = getenv("SBX_D");
 
-  if (switches::SeccompSandboxEnabled()) {
-    PreSandboxInit();
-    SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
-  } else if (sandbox_fd_string) {  // Use the SUID sandbox.
+  if (sandbox_fd_string) {
+    // Use the SUID sandbox.  This still allows the seccomp sandbox to
+    // be enabled by the process later.
     g_suid_sandbox_active = true;
 
     char* endptr;
@@ -623,6 +622,9 @@ static bool EnterSandbox() {
         return false;
       }
     }
+  } else if (switches::SeccompSandboxEnabled()) {
+    PreSandboxInit();
+    SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
   } else {
     SkiaFontConfigUseDirectImplementation();
   }