Add an API around zygoteHost so that chrome doesn't reach into the internal content implementation.

content/browser/zygote_main_linux.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "content/browser/zygote_host_linux.h"
+#include "content/browser/zygote_host_impl_linux.h"
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
@@ skipping 151 matching lines @@
       PLOG(ERROR) << "Error reading message from browser";
       return false;
     }
 
     Pickle pickle(buf, len);
     void* iter = NULL;
 
     int kind;
     if (pickle.ReadInt(&iter, &kind)) {
       switch (kind) {
-        case ZygoteHost::kCmdFork:
+        case ZygoteHostImpl::kCmdFork:
           // This function call can return multiple times, once per fork().
           return HandleForkRequest(fd, pickle, iter, fds);
 
-        case ZygoteHost::kCmdReap:
+        case ZygoteHostImpl::kCmdReap:
           if (!fds.empty())
             break;
           HandleReapRequest(fd, pickle, iter);
           return false;
-        case ZygoteHost::kCmdGetTerminationStatus:
+        case ZygoteHostImpl::kCmdGetTerminationStatus:
           if (!fds.empty())
             break;
           HandleGetTerminationStatus(fd, pickle, iter);
           return false;
-        case ZygoteHost::kCmdGetSandboxStatus:
+        case ZygoteHostImpl::kCmdGetSandboxStatus:
           HandleGetSandboxStatus(fd, pickle, iter);
           return false;
         default:
           NOTREACHED();
           break;
       }
     }
 
     LOG(WARNING) << "Error parsing message from browser";
     for (std::vector<int>::const_iterator
@@ skipping 637 matching lines @@
 
   // Turn on the SELinux or SUID sandbox
   if (!EnterSandbox()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
   int sandbox_flags = 0;
   if (getenv("SBX_D"))
-    sandbox_flags |= ZygoteHost::kSandboxSUID;
+    sandbox_flags |= ZygoteHostImpl::kSandboxSUID;
   if (getenv("SBX_PID_NS"))
-    sandbox_flags |= ZygoteHost::kSandboxPIDNS;
+    sandbox_flags |= ZygoteHostImpl::kSandboxPIDNS;
   if (getenv("SBX_NET_NS"))
-    sandbox_flags |= ZygoteHost::kSandboxNetNS;
+    sandbox_flags |= ZygoteHostImpl::kSandboxNetNS;
 
 #if defined(SECCOMP_SANDBOX)
   // The seccomp sandbox will be turned on when the renderers start. But we can
   // already check if sufficient support is available so that we only need to
   // print one error message for the entire browser session.
   if (g_proc_fd >= 0 && SeccompSandboxEnabled()) {
     if (!SupportsSeccompSandbox(g_proc_fd)) {
       // There are a good number of users who cannot use the seccomp sandbox
       // (e.g. because their distribution does not enable seccomp mode by
       // default). While we would prefer to deny execution in this case, it
       // seems more realistic to continue in degraded mode.
       LOG(ERROR) << "WARNING! This machine lacks support needed for the "
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
     } else {
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
-      sandbox_flags |= ZygoteHost::kSandboxSeccomp;
+      sandbox_flags |= ZygoteHostImpl::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }