Clean up GPU process seccomp-bpf sandbox policies.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 409 matching lines @@
           "/usr/lib64/va/drivers/i965_drv_video.so";
       dlopen(kI965DrvVideoPath_64, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
     }
   }
 #endif
 }
 
 // Is the sandbox fully disabled for this process?
 bool ShouldDisableBpfSandbox(const CommandLine& command_line,
                              const std::string& process_type) {
-  if (process_type == switches::kGpuProcess) {
-    // The GPU sandbox is disabled by default in ChromeOS, enabled by default on
-    // generic Linux.
-    // TODO(jorgelo): when we feel comfortable, make this a policy decision
-    // instead. (i.e. move this to GetProcessSyscallPolicy) and return an
-    // AllowAllPolicy for lack of "--enable-gpu-sandbox".
-    bool should_disable;
-    if (IsChromeOS()) {
-      should_disable = true;
-    } else {
-      should_disable = false;
-    }
-
-    if (command_line.HasSwitch(switches::kEnableGpuSandbox))
-      should_disable = false;
-    if (command_line.HasSwitch(switches::kDisableGpuSandbox))
-      should_disable = true;
-    return should_disable;
-  }
+  if (process_type == switches::kGpuProcess)
+    return command_line.HasSwitch(switches::kDisableGpuSandbox);

[jln (very slow on Chromium), 2012/08/06 21:36:50]

Also, could you kill this function and inline this in
SandboxSeccompBpf::ShouldEnableSeccompBpf() ?

 
   return false;
 }
 
 playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(
     const CommandLine& command_line,
     const std::string& process_type) {
 #if defined(__x86_64__)
   if (process_type == switches::kGpuProcess) {
-    return GpuProcessPolicy_x86_64;
+    if (command_line.HasSwitch(switches::kEnableGpuSandbox))
+      return GpuProcessPolicy_x86_64;
+    else
+      return AllowAllPolicy;
   }
 
   if (process_type == switches::kPpapiPluginProcess) {
     // TODO(jln): figure out what to do with non-Flash PPAPI
     // out-of-process plug-ins.
     return FlashProcessPolicy_x86_64;
   }
 
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess) {
     return BlacklistPtracePolicy;
   }
   NOTREACHED();
   // This will be our default if we need one.
   return AllowAllPolicy;
 #else
+  if (process_type == switches::kGpuProcess) {
+    if (command_line.HasSwitch(switches::kEnableGpuSandbox))
+      return BlacklistPtracePolicy;
+    else
+      return AllowAllPolicy;
+  }
+
   // On IA32, we only have a small blacklist at the moment.
-  (void) process_type;
   return BlacklistPtracePolicy;
 #endif  // __x86_64__
 }
 
 // Initialize the seccomp-bpf sandbox.
 bool StartBpfSandbox_x86(const CommandLine& command_line,
                          const std::string& process_type) {
   playground2::Sandbox::EvaluateSyscall SyscallPolicy =
       GetProcessSyscallPolicy(command_line, process_type);
 
@@ skipping 52 matching lines @@
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
     return StartBpfSandbox_x86(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content