Linux sandbox: change API to start the sandbox

content/public/common/sandbox_init.h

Index: content/public/common/sandbox_init.h
diff --git a/content/public/common/sandbox_init.h b/content/public/common/sandbox_init.h
index 4173d9afe4ddedfeeb6273be065efc44bc3b68b5..2b337520f4b03fb4edae59065ac0608ea9199b8a 100644
--- a/content/public/common/sandbox_init.h
+++ b/content/public/common/sandbox_init.h
@@ -5,6 +5,7 @@
 #ifndef CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_
 #define CONTENT_PUBLIC_COMMON_SANDBOX_INIT_H_
 
+#include "base/files/scoped_file.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/process/process.h"
 #include "build/build_config.h"
@@ -86,9 +87,13 @@ CONTENT_EXPORT bool InitializeSandbox(int sandbox_type,
 class SandboxInitializerDelegate;
 
 // Initialize a seccomp-bpf sandbox. |policy| may not be NULL.
+// If an existing layer of sandboxing is present that would prevent access to
+// /proc,

[nasko, 2014/11/24 23:01:02]

nit: no need for a line break after the comma, join with next line.

[jln (very slow on Chromium), 2014/11/24 23:26:03]

Done. I love clang-format, but it's not good for comments.

+// |proc_task_fd| must be a valid file descriptor to /proc/self/tasks.
 // Returns true if the sandbox has been properly engaged.
 CONTENT_EXPORT bool InitializeSandbox(
-    scoped_ptr<sandbox::bpf_dsl::Policy> policy);
+    scoped_ptr<sandbox::bpf_dsl::Policy> policy,
+    base::ScopedFD proc_task_fd);
 
 // Return a "baseline" policy. This is used by a SandboxInitializerDelegate to
 // implement a policy that is derived from the baseline.