3 files changed, 40 insertions, 7 deletions

diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi
index 791c930..7895407 100644
--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -1719,7 +1719,8 @@
         'test/gpu/gpu_feature_browsertest.cc',
         'test/gpu/webgl_infobar_browsertest.cc',
         'test/ppapi/ppapi_browsertest.cc',
-        'test/security_tests/sandbox_browsertest.cc',
+        'test/security_tests/sandbox_browsertest_linux.cc',
+        'test/security_tests/sandbox_browsertest_win.cc',
         # TODO(craig): Rename this and run from base_unittests when the test
         # is safe to run there. See http://crbug.com/78722 for details.
         '../base/files/file_path_watcher_browsertest.cc',
diff --git a/chrome/test/security_tests/sandbox_browsertest_linux.cc b/chrome/test/security_tests/sandbox_browsertest_linux.cc
new file mode 100644
index 0000000..f9c26599
--- /dev/null
+++ b/chrome/test/security_tests/sandbox_browsertest_linux.cc
@@ -0,0 +1,34 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/test/base/in_process_browser_test.h"
+#include "content/public/browser/zygote_host_linux.h"
+#include "content/public/common/sandbox_linux.h"
+
+typedef InProcessBrowserTest SandboxLinuxTest;
+
+// Both the SUID sandbox (http://crbug.com/137653) and the Seccomp-BPF sandbox
+// are currently incompatible with ASan.
+#if defined(OS_LINUX) && !defined(ADDRESS_SANITIZER)
+#define MAYBE_SandboxStatus \
+        SandboxStatus
+#else
+#define MAYBE_SandboxStatus \
+        DISABLED_SandboxStatus
+#endif
+
+IN_PROC_BROWSER_TEST_F(SandboxLinuxTest, MAYBE_SandboxStatus) {
+  // Get expected sandboxing status of renderers.
+  const int status = content::ZygoteHost::GetInstance()->GetSandboxStatus();
+
+  // The setuid sandbox is required as our first-layer sandbox.
+  bool good_layer1 = status & content::kSandboxLinuxSUID &&
+                     status & content::kSandboxLinuxPIDNS &&
+                     status & content::kSandboxLinuxNetNS;
+  // A second-layer sandbox is also required to be adequately sandboxed.
+  bool good_layer2 = status & content::kSandboxLinuxSeccompBpf;
+
+  EXPECT_TRUE(good_layer1);
+  EXPECT_TRUE(good_layer2);
+}
diff --git a/chrome/test/security_tests/sandbox_browsertest.cc b/chrome/test/security_tests/sandbox_browsertest_win.cc
index 8b09a95..05c10bb 100644
--- a/chrome/test/security_tests/sandbox_browsertest.cc
+++ b/chrome/test/security_tests/sandbox_browsertest_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,9 +8,9 @@
 #include "chrome/common/chrome_switches.h"
 #include "chrome/test/base/in_process_browser_test.h"
 
-class SandboxTest : public InProcessBrowserTest {
+class SandboxWinTest : public InProcessBrowserTest {
  protected:
-  SandboxTest() : InProcessBrowserTest() {}
+  SandboxWinTest() : InProcessBrowserTest() {}
 
   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     command_line->AppendSwitchASCII(switches::kTestSandbox,
@@ -19,9 +19,7 @@ class SandboxTest : public InProcessBrowserTest {
 };
 
 // Need a cross-platform test library: http://crbug.com/45771
-#if defined(OS_WIN)
 // Verifies that chrome is running properly.
-IN_PROC_BROWSER_TEST_F(SandboxTest, ExecuteDll) {
+IN_PROC_BROWSER_TEST_F(SandboxWinTest, ExecuteDll) {
   EXPECT_EQ(1, browser()->tab_strip_model()->count());
 }
-#endif