Index: content/common/sandbox_linux.cc |
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc |
index fb39c11d31b108252119d000c27cd15c655b73af..ad73fe6b1e26eb3f2a500e4bedc563b3556cc2d5 100644 |
--- a/content/common/sandbox_linux.cc |
+++ b/content/common/sandbox_linux.cc |
@@ -158,16 +158,21 @@ int LinuxSandbox::GetStatus() const { |
if (setuid_sandbox_client_->IsInNewNETNamespace()) |
sandbox_flags |= kSandboxLinuxNetNS; |
} |
- if (seccomp_legacy_supported() && |
- ShouldEnableSeccompLegacy(switches::kRendererProcess)) { |
+ |
+ if (seccomp_bpf_supported() && |
+ SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { |
// We report whether the sandbox will be activated when renderers go |
// through sandbox initialization. |
- sandbox_flags |= kSandboxLinuxSeccompLegacy; |
+ sandbox_flags |= kSandboxLinuxSeccompBpf; |
} |
- if (seccomp_bpf_supported() && |
- SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { |
+ |
+ // We only try to enable seccomp-legacy when seccomp-bpf is not supported |
+ // or not enabled. |
+ if (!(sandbox_flags & kSandboxLinuxSeccompBpf) && |
+ seccomp_legacy_supported() && |
+ ShouldEnableSeccompLegacy(switches::kRendererProcess)) { |
// Same here, what we report is what we will do for the renderer. |
- sandbox_flags |= kSandboxLinuxSeccompBpf; |
+ sandbox_flags |= kSandboxLinuxSeccompLegacy; |
} |
return sandbox_flags; |
} |