Linux: add a seccomp-bpf sandbox for renderers

content/common/sandbox_linux.cc

Index: content/common/sandbox_linux.cc
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
index fb39c11d31b108252119d000c27cd15c655b73af..ad73fe6b1e26eb3f2a500e4bedc563b3556cc2d5 100644
--- a/content/common/sandbox_linux.cc
+++ b/content/common/sandbox_linux.cc
@@ -158,16 +158,21 @@ int LinuxSandbox::GetStatus() const {
     if (setuid_sandbox_client_->IsInNewNETNamespace())
       sandbox_flags |= kSandboxLinuxNetNS;
   }
-  if (seccomp_legacy_supported() &&
-      ShouldEnableSeccompLegacy(switches::kRendererProcess)) {
+
+  if (seccomp_bpf_supported() &&
+      SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
     // We report whether the sandbox will be activated when renderers go
     // through sandbox initialization.
-    sandbox_flags |= kSandboxLinuxSeccompLegacy;
+    sandbox_flags |= kSandboxLinuxSeccompBpf;
   }
-  if (seccomp_bpf_supported() &&
-      SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) {
+
+  // We only try to enable seccomp-legacy when seccomp-bpf is not supported
+  // or not enabled.
+  if (!(sandbox_flags & kSandboxLinuxSeccompBpf) &&
+      seccomp_legacy_supported() &&
+      ShouldEnableSeccompLegacy(switches::kRendererProcess)) {
     // Same here, what we report is what we will do for the renderer.
-    sandbox_flags |= kSandboxLinuxSeccompBpf;
+    sandbox_flags |= kSandboxLinuxSeccompLegacy;
   }
   return sandbox_flags;
 }