Load additional NSS library files in zygote main if remoting is enabled

Instead of initializing NSS before the sandbox is engaged this loads the
necessary additional libraries for NSS to function properly. This allows
initializing NSS after sandbox is closed and solve the security problem
of loading NSS early.

BUG=None
TEST=None

Review URL: http://codereview.chromium.org/6672034

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@78633 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 6 insertions, 13 deletions

diff --git a/content/browser/zygote_main_linux.cc b/content/browser/zygote_main_linux.cc
index 8a563b3..0da3212 100644
--- a/content/browser/zygote_main_linux.cc
+++ b/content/browser/zygote_main_linux.cc
@@ -605,19 +605,12 @@ static void PreSandboxInit() {
   if (PathService::Get(chrome::DIR_MEDIA_LIBS, &media_path))
     media::InitializeMediaLibrary(media_path);
 
-  // Remoting requires NSS to function properly. It is not used for other
-  // reasons so load NSS only if remoting is enabled.
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kEnableRemoting)) {
-    // We are going to fork to engage the sandbox and we have not loaded
-    // any security modules so it is safe to disable the fork check in NSS.
-    base::DisableNSSForkCheck();
-
-    // Initialize NSS so that we load the necessary library files
-    // before we enter the sandbox.
-    base::ForceNSSNoDBInit();
-    base::EnsureNSSInit();
-  }
+  // NSS libraries are loaded before sandbox is activated. This is to allow
+  // successful initialization of NSS which tries to load extra library files.
+  // Doing so will allow NSS to be used within sandbox for chromoting.
+#if defined(USE_NSS)
+  base::LoadNSSLibraries();
+#endif
 
   // Ensure access to the Pepper plugins before the sandbox is turned on.
   PepperPluginRegistry::PreloadModules();