Linux: make current InitializeSandbox() private.

content/zygote/zygote_linux.cc

Index: content/zygote/zygote_linux.cc
diff --git a/content/zygote/zygote_linux.cc b/content/zygote/zygote_linux.cc
index b546e15b2df45ee6e460e81889a0f705aeb783f8..2be587cb390cd5df7ad08136ecf8f965096e8259 100644
--- a/content/zygote/zygote_linux.cc
+++ b/content/zygote/zygote_linux.cc
@@ -24,6 +24,7 @@
 #include "content/common/set_process_title.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_descriptors.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/result_codes.h"
 #include "content/public/common/sandbox_linux.h"
 #include "content/public/common/zygote_fork_delegate_linux.h"
@@ -435,7 +436,16 @@ base::ProcessId Zygote::ReadArgsAndFork(const Pickle& pickle,
     // This is the child process.
 
     // At this point, we finally know our process type.
-    LinuxSandbox::GetInstance()->PreinitializeSandboxFinish(process_type);
+    if (process_type == switches::kRendererProcess) {
+      // The seccomp-legacy sandbox requires special handling and is only
+      // ever enabled for renderers. TODO(jln): remove the seccomp-legacy
+      // sandbox.
+      LinuxSandbox::GetInstance()->PreinitializeSandboxFinish(
+          LinuxSandbox::SANDBOX_CONFIG_RENDERER);
+    } else {
+      LinuxSandbox::GetInstance()->PreinitializeSandboxFinish(
+          LinuxSandbox::SANDBOX_CONFIG_GENERIC);
+    }
 
     close(kBrowserDescriptor);  // Our socket from the browser.
     if (UsingSUIDSandbox())