Run NaCl itself in Chromium's Linux sandbox

This is achieved by forking the NaCl loader process (Chromium's
compiled-in sel_ldr) from the Zygote process.

This leaves the sel_ldr with a little excess authority, because it has
access to the IPC methods (e.g. for fonts) implemented in
render_sandbox_host_linux.cc.

BUG=36676
TEST=nacl_ui_tests

Review URL: http://codereview.chromium.org/669274

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41056 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 13 insertions, 2 deletions

diff --git a/chrome/app/chrome_dll_main.cc b/chrome/app/chrome_dll_main.cc
index f0e0f82..db9f045 100644
--- a/chrome/app/chrome_dll_main.cc
+++ b/chrome/app/chrome_dll_main.cc
@@ -744,7 +744,18 @@ int ChromeMain(int argc, char** argv) {
         *CommandLine::ForCurrentProcess();
       MainFunctionParams main_params(parsed_command_line, sandbox_wrapper,
                                      &autorelease_pool);
-      rv = RendererMain(main_params);
+      std::string process_type =
+        parsed_command_line.GetSwitchValueASCII(switches::kProcessType);
+      if (process_type == switches::kRendererProcess ||
+          process_type == switches::kExtensionProcess) {
+        rv = RendererMain(main_params);
+#ifndef DISABLE_NACL
+      } else if (process_type == switches::kNaClLoaderProcess) {
+        rv = NaClMain(main_params);
+#endif
+      } else {
+        NOTREACHED() << "Unknown process type";
+      }
     } else {
       rv = 0;
     }
diff --git a/chrome/browser/nacl_host/nacl_process_host.cc b/chrome/browser/nacl_host/nacl_process_host.cc
index 1114cb7..58b689f 100644
--- a/chrome/browser/nacl_host/nacl_process_host.cc
+++ b/chrome/browser/nacl_host/nacl_process_host.cc
@@ -104,7 +104,7 @@ bool NaClProcessHost::LaunchSelLdr() {
 #if defined(OS_WIN)
         FilePath(),
 #elif defined(OS_POSIX)
-        false,
+        true, // use_zygote
         base::environment_vector(),
 #endif
         cmd_line);