summaryrefslogtreecommitdiffstats
path: root/chrome/browser/zygote_main_linux.cc
diff options
context:
space:
mode:
Diffstat (limited to 'chrome/browser/zygote_main_linux.cc')
-rw-r--r--chrome/browser/zygote_main_linux.cc17
1 files changed, 17 insertions, 0 deletions
diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc
index b9839d3..2b9d5fb 100644
--- a/chrome/browser/zygote_main_linux.cc
+++ b/chrome/browser/zygote_main_linux.cc
@@ -40,6 +40,8 @@
#include "skia/ext/SkFontHost_fontconfig_control.h"
+#include "sandbox/linux/seccomp/sandbox.h"
+
#include "unicode/timezone.h"
// http://code.google.com/p/chromium/wiki/LinuxZygote
@@ -581,6 +583,21 @@ bool ZygoteMain(const MainFunctionParams& params) {
g_am_zygote_or_renderer = true;
#endif
+ if (CommandLine::ForCurrentProcess()->HasSwitch(
+ switches::kEnableSeccompSandbox)) {
+ if (!SupportsSeccompSandbox()) {
+ // There are a good number of users who cannot use the seccomp sandbox
+ // (e.g. because their distribution does not enable seccomp mode by
+ // default). While we would prefer to deny execution in this case, it
+ // seems more realistic to continue in degraded mode.
+ LOG(ERROR) << "WARNING! This machine lacks support needed for the "
+ "Seccomp sandbox. Running renderers with Seccomp "
+ "sandboxing disabled.";
+ } else {
+ LOG(INFO) << "Enabling experimental Seccomp sandbox.";
+ }
+ }
+
if (!EnterSandbox()) {
LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
<< errno << ")";
generated by cgit v1.1 at 2024-09-18 01:36:02 +0000