From aeaf937b8a02b0a9b1c79e0e2f1d5f407313264c Mon Sep 17 00:00:00 2001 From: "evan@chromium.org" Date: Thu, 18 Feb 2010 15:25:55 +0000 Subject: linux: enable seccomp sandbox by default This is an experiment. Hopefully it will flush out problems. Use --disable-seccomp-sandbox to turn it off. BUG=36133 Review URL: http://codereview.chromium.org/647017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39358 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/browser/zygote_main_linux.cc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'chrome/browser/zygote_main_linux.cc') diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc index 009ba00d..a526d97 100644 --- a/chrome/browser/zygote_main_linux.cc +++ b/chrome/browser/zygote_main_linux.cc @@ -607,8 +607,8 @@ bool ZygoteMain(const MainFunctionParams& params) { // The seccomp sandbox needs access to files in /proc, which might be denied // after one of the other sandboxes have been started. So, obtain a suitable // file handle in advance. - if (CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + if (!CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableSeccompSandbox)) { g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY); if (g_proc_fd < 0) { LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp " @@ -629,16 +629,16 @@ bool ZygoteMain(const MainFunctionParams& params) { // already check if sufficient support is available so that we only need to // print one error message for the entire browser session. if (g_proc_fd >= 0 && - CommandLine::ForCurrentProcess()->HasSwitch( - switches::kEnableSeccompSandbox)) { + !CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableSeccompSandbox)) { if (!SupportsSeccompSandbox(g_proc_fd)) { // There are a good number of users who cannot use the seccomp sandbox // (e.g. because their distribution does not enable seccomp mode by // default). While we would prefer to deny execution in this case, it // seems more realistic to continue in degraded mode. - LOG(ERROR) << "WARNING! This machine lacks support needed for the " - "Seccomp sandbox. Running renderers with Seccomp " - "sandboxing disabled."; + LOG(FATAL) << "WARNING! This machine lacks support needed for the " + "Seccomp sandbox. Please report your system specs on " + "http://code.google.com/p/chromium/issues/detail?id=36133"; } else { LOG(INFO) << "Enabling experimental Seccomp sandbox."; } -- cgit v1.1