Linux: Add support for chrooted renderers.

Linux: Add support for chrooted renderers.

http://code.google.com/p/chromium/wiki/LinuxSandboxIPC

Without filesystem access from the renderers, we need another way of
dealing with fontconfig and font loading.

This add support for:
  * An "SBX_D" environment variable in the renderers which is used to
    signal the end of dynamic linking so that the chroot can be
    enforced.
  * A sandbox_host process, running outside the sandbox, to deal with
    fontconfig requests from the renderers. See the wiki page for
    the reasoning behind making it a separate process.
  * A new, custom SkFontHost for Skia. Because this is Chrome
    specific, it will live outside the upstream Skia tree. This
    FontHost can be configured either to drive fontconfig directly
    (for the browser process and for any unsandboxed renderers) or to
    use an IPC system. Since the same SkFontHost has to be linked into
    both the browser and renderer (they are the same binary), this
    switch has to be made at run time.

Sandbox IPC calls are rare (a couple of dozen at page load time) and
add about 50us of overhead for each call.

[agl, 2009-05-29 20:47:51]

This is not quite fully baked yet, but I thought I should get it out there a
little earlier given the amount of code and design.

For one, this collides with your Skia patch and I'll sync up on that before
committing.

[Evan Martin, 2009-05-29 22:04:43]

Unfortunately, I think Darin will probably want to review this given that it
involves new IPC goop.

[Evan Martin, 2009-05-29 22:22:43]

Tony mentions we have a special "utility" process that extensions will use.  But
it probably is forked at the wrong time for you?  Unfortunately, I wonder if the
opt-in for crash dumping happens at the wrong time for you as well.

[Evan Martin, 2009-05-29 22:23:03]

http://codereview.chromium.org/112074/diff/1/3
File chrome/app/chrome_dll_main.cc (left):

http://codereview.chromium.org/112074/diff/1/3#oldcode412
Line 412: CHECK(chmod(fix_dir.value().c_str(), 0700) == 0);
Let me fix this separately.

In fact, you get a preemptive LGTM on submitting this file's changes right now.

http://codereview.chromium.org/112074/diff/1/4
File chrome/browser/browser_main.cc (right):

http://codereview.chromium.org/112074/diff/1/4#newcode253
Line 253: EnableCrashDumping();
I think this needs to be conditional on the opt-in setting, which is why it used
to be here but then was removed.

[agl, 2009-05-29 22:26:59]

http://codereview.chromium.org/112074/diff/1/4
File chrome/browser/browser_main.cc (right):

http://codereview.chromium.org/112074/diff/1/4#newcode254
Line 254: 
Thanks. That was an artifact of merging. There should be no crash dumping
changes in this patch.

[Lei Zhang, 2009-06-04 01:30:43]

http://codereview.chromium.org/112074/diff/1/16
File skia/ext/SkFontHost_fontconfig_ipc.cpp (right):

http://codereview.chromium.org/112074/diff/1/16#newcode69
Line 69: memset(&msg, 0, sizeof(msg));
fta reports compile failure. http://paste.ubuntu.com/187812/

needs string.h

http://codereview.chromium.org/112074/diff/1/16#newcode121
Line 121: char filename_buf[PATH_MAX];
and limits.h