Index: content/common/sandbox_linux.cc |
diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc |
index 20eedfaeebe5c4883cf774089f97778bf4d5f910..06021ae2792f7779f511c7671c9de4f6c4f87e76 100644 |
--- a/content/common/sandbox_linux.cc |
+++ b/content/common/sandbox_linux.cc |
@@ -176,6 +176,39 @@ void LinuxSandbox::PreinitializeSandbox(const std::string& process_type) { |
PreinitializeSandboxFinish(process_type); |
} |
+bool LinuxSandbox::InitializeSandbox() { |
+ bool seccomp_legacy_started = false; |
+ bool seccomp_bpf_started = false; |
+ LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); |
+ const std::string process_type = |
+ CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
+ switches::kProcessType); |
+ |
+ // No matter what, it's always an error to call InitializeSandbox() after |
+ // threads have been created. |
+ if (!linux_sandbox->IsSingleThreaded()) { |
+ std::string error_message = "InitializeSandbox() called with multiple " |
+ "threads in process " + process_type; |
+ // TODO(jln): change this into a CHECK() once we are more comfortable it |
+ // does not trigger. |
+ LOG(ERROR) << error_message; |
+ return false; |
+ } |
+ |
+ // Attempt to limit the future size of the address space of the process. |
+ linux_sandbox->LimitAddressSpace(process_type); |
+ |
+ // First, try to enable seccomp-bpf. |
+ seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); |
+ |
+ // If that fails, try to enable seccomp-legacy. |
+ if (!seccomp_bpf_started) { |
+ seccomp_legacy_started = linux_sandbox->StartSeccompLegacy(process_type); |
+ } |
+ |
+ return seccomp_legacy_started || seccomp_bpf_started; |
+} |
+ |
int LinuxSandbox::GetStatus() const { |
CHECK(pre_initialized_); |
int sandbox_flags = 0; |