seccomp: refactor logic into a header file

I had hoped for this logic to get simpler, but it looks like it needs
to be complicated for now.  :(

Review URL: http://codereview.chromium.org/7465095

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95317 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 49 insertions, 38 deletions

diff --git a/content/browser/zygote_main_linux.cc b/content/browser/zygote_main_linux.cc
index 76fe656..2f156ed 100644
--- a/content/browser/zygote_main_linux.cc
+++ b/content/browser/zygote_main_linux.cc
@@ -35,6 +35,7 @@
 #include "content/common/process_watcher.h"
 #include "content/common/result_codes.h"
 #include "content/common/sandbox_methods_linux.h"
+#include "content/common/seccomp_sandbox.h"
 #include "content/common/set_process_title.h"
 #include "content/common/unix_domain_socket_posix.h"
 #include "content/common/zygote_fork_delegate_linux.h"
@@ -62,30 +63,9 @@ static const int kMagicSandboxIPCDescriptor = 5;
 static const int kZygoteIdDescriptor = 7;
 static bool g_suid_sandbox_active = false;
 
-// Seccomp enable/disable logic is centralized here.
-// - We define SECCOMP_SANDBOX if seccomp is compiled in at all: currently,
-//   on non-views (non-ChromeOS) non-ARM non-Clang Linux only.
-// - If we have SECCOMP_SANDBOX, we provide SeccompEnabled() as a
-//   run-time test to determine whether to turn on seccomp: currently
-//   it's behind an --enable-seccomp-sandbox switch.
-
-// This #ifdef logic must be kept in sync with
-// renderer_main_platform_delegate_linux.cc.  See TODO in that file.
-#if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \
-  !defined(__clang__) && !defined(OS_CHROMEOS) && !defined(TOOLKIT_VIEWS)
-#define SECCOMP_SANDBOX
-#include "seccompsandbox/sandbox.h"
-#endif
-
 #if defined(SECCOMP_SANDBOX)
-static bool SeccompEnabled() {
-  return CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox) &&
-      !CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kDisableSeccompSandbox);
-}
 static int g_proc_fd = -1;
-#endif  // SECCOMP_SANDBOX
+#endif
 
 #if defined(CHROMIUM_SELINUX)
 static void SELinuxTransitionToTypeOrDie(const char* type) {
@@ -431,7 +411,7 @@ class Zygote {
 
     if (!child) {
 #if defined(SECCOMP_SANDBOX)
-      if (SeccompEnabled() && g_proc_fd >= 0) {
+      if (SeccompSandboxEnabled() && g_proc_fd >= 0) {
         // Try to open /proc/self/maps as the seccomp sandbox needs access to it
         int proc_self_maps = openat(g_proc_fd, "self/maps", O_RDONLY);
         if (proc_self_maps >= 0) {
@@ -741,7 +721,7 @@ static bool EnterSandbox() {
       }
     }
 #if defined(SECCOMP_SANDBOX)
-  } else if (SeccompEnabled()) {
+  } else if (SeccompSandboxEnabled()) {
     PreSandboxInit();
     SkiaFontConfigSetImplementation(
         new FontConfigIPC(kMagicSandboxIPCDescriptor));
@@ -769,7 +749,7 @@ bool ZygoteMain(const MainFunctionParams& params,
 #endif
 
 #if defined(SECCOMP_SANDBOX)
-  if (SeccompEnabled()) {
+  if (SeccompSandboxEnabled()) {
     // The seccomp sandbox needs access to files in /proc, which might be denied
     // after one of the other sandboxes have been started. So, obtain a suitable
     // file handle in advance.
@@ -809,7 +789,7 @@ bool ZygoteMain(const MainFunctionParams& params,
   // The seccomp sandbox will be turned on when the renderers start. But we can
   // already check if sufficient support is available so that we only need to
   // print one error message for the entire browser session.
-  if (g_proc_fd >= 0 && SeccompEnabled()) {
+  if (g_proc_fd >= 0 && SeccompSandboxEnabled()) {
     if (!SupportsSeccompSandbox(g_proc_fd)) {
       // There are a good number of users who cannot use the seccomp sandbox
       // (e.g. because their distribution does not enable seccomp mode by
@@ -819,7 +799,7 @@ bool ZygoteMain(const MainFunctionParams& params,
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
     } else {
-      VLOG(1) << "Enabling experimental Seccomp sandbox.";
+      LOG(WARNING) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHost::kSandboxSeccomp;
     }
   }
diff --git a/content/common/seccomp_sandbox.h b/content/common/seccomp_sandbox.h
new file mode 100644
index 0000000..0eb3764
--- /dev/null
+++ b/content/common/seccomp_sandbox.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_COMMON_SECCOMP_SANDBOX_H_
+#define CONTENT_COMMON_SECCOMP_SANDBOX_H_
+#pragma once
+
+// Seccomp enable/disable logic is centralized here.
+// - We define SECCOMP_SANDBOX if seccomp is compiled in at all: currently,
+//   on non-views (non-ChromeOS) non-ARM non-Clang Linux only.
+// - If we have SECCOMP_SANDBOX, we provide SeccompSandboxEnabled() as
+//   a run-time test to determine whether to turn on seccomp:
+//   currently, on by default in debug builds and off by default in
+//   release.
+
+#include "build/build_config.h"
+#include "content/common/content_switches.h"
+
+#if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \
+  !defined(__clang__) && !defined(OS_CHROMEOS) && !defined(TOOLKIT_VIEWS)
+#define SECCOMP_SANDBOX
+#include "seccompsandbox/sandbox.h"
+#endif
+
+#if defined(SECCOMP_SANDBOX)
+// Return true if seccomp is enabled.
+static bool SeccompSandboxEnabled() {
+  // TODO(evan): turn on for release too once we've flushed out all the bugs,
+  // allowing us to delete this file entirely and just rely on the "disabled"
+  // switch.
+  return CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableSeccompSandbox) &&
+      !CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kDisableSeccompSandbox);
+}
+#endif
+
+#endif  // CONTENT_COMMON_SECCOMP_SANDBOX_H_
diff --git a/content/renderer/renderer_main_platform_delegate_linux.cc b/content/renderer/renderer_main_platform_delegate_linux.cc
index 6467f57..8acc7f5 100644
--- a/content/renderer/renderer_main_platform_delegate_linux.cc
+++ b/content/renderer/renderer_main_platform_delegate_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,14 +6,7 @@
 
 #include "base/command_line.h"
 #include "content/common/content_switches.h"
-
-// This #ifdef logic must be kept in sync with zygote_main_linux.cc.
-// TODO(evan): this file doesn't do anything anyway, we should delete it.
-#if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \
-  !defined(__clang__) && !defined(OS_CHROMEOS) && !defined(TOOLKIT_VIEWS)
-#define SECCOMP_SANDBOX
-#include "seccompsandbox/sandbox.h"
-#endif
+#include "content/common/seccomp_sandbox.h"
 
 RendererMainPlatformDelegate::RendererMainPlatformDelegate(
     const MainFunctionParams& parameters)
@@ -45,8 +38,7 @@ bool RendererMainPlatformDelegate::EnableSandbox() {
   // N.b. SupportsSeccompSandbox() returns a cached result, as we already
   // called it earlier in the zygote. Thus, it is OK for us to not pass in
   // a file descriptor for "/proc".
-  if (CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox) && SupportsSeccompSandbox(-1))
+  if (SeccompSandboxEnabled() && SupportsSeccompSandbox(-1))
     StartSeccompSandbox();
 #endif
   return true;