diff options
| author | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-30 19:47:41 +0000 |
|---|---|---|
| committer | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-30 19:47:41 +0000 |
| commit | 39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf (patch) | |
| tree | 456e767833a5abfca7ab89ba2e66c8935cfab1f7 /chrome/browser/zygote_main_linux.cc | |
| parent | 3cd488a822976fd97aeb7e5237e483100a24fa12 (diff) | |
| download | chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.zip chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.tar.gz chromium_src-39c4e1a8b2343b3883a098a8e0d21fb8bd3204cf.tar.bz2 | |
linux: enable seccomp sandbox by default
It seems the best way to keep the seccomp sandbox working is to have
everyone's development environment have it on by default. So we turn
on the seccomp sandbox, but only for non-official builds.
If the build-time flag is set: --disable-seccomp-sandbox turns it off.
If the build-time flag is *not* set: --enable-seccomp-sandbox turns it on.
BUG=36133
Review URL: http://codereview.chromium.org/1558003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43122 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/zygote_main_linux.cc')
| -rw-r--r-- | chrome/browser/zygote_main_linux.cc | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index 7d877bd..793c855 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -509,8 +509,7 @@ static bool EnterSandbox() { // chrooted. const char* const sandbox_fd_string = getenv("SBX_D"); - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { PreSandboxInit(); SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor); } else if (sandbox_fd_string) { // Use the SUID sandbox. @@ -618,8 +617,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox needs access to files in /proc, which might be denied // after one of the other sandboxes have been started. So, obtain a suitable // file handle in advance. - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (switches::SeccompSandboxEnabled()) { g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY); if (g_proc_fd < 0) { LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp " @@ -639,9 +637,7 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox will be turned on when the renderers start. But we can // already check if sufficient support is available so that we only need to // print one error message for the entire browser session. - if (g_proc_fd >= 0 && - CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (g_proc_fd >= 0 && switches::SeccompSandboxEnabled()) { if (!SupportsSeccompSandbox(g_proc_fd)) { // There are a good number of users who cannot use the seccomp sandbox // (e.g. because their distribution does not enable seccomp mode by |