linux: enable seccomp sandbox by default

chrome/browser/zygote_main_linux.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #include <sys/socket.h>
@@ skipping 491 matching lines @@
     media::InitializeMediaLibrary(module_path);
 }
 
 #if !defined(CHROMIUM_SELINUX)
 static bool EnterSandbox() {
   // The SUID sandbox sets this environment variable to a file descriptor
   // over which we can signal that we have completed our startup and can be
   // chrooted.
   const char* const sandbox_fd_string = getenv("SBX_D");
 
-  if (CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox)) {
+  if (switches::SeccompSandboxEnabled()) {
     PreSandboxInit();
     SkiaFontConfigUseIPCImplementation(kMagicSandboxIPCDescriptor);
   } else if (sandbox_fd_string) {  // Use the SUID sandbox.
     g_suid_sandbox_active = true;
 
     char* endptr;
     const long fd_long = strtol(sandbox_fd_string, &endptr, 10);
     if (!*sandbox_fd_string || *endptr || fd_long < 0 || fd_long > INT_MAX)
       return false;
     const int fd = fd_long;
@@ skipping 87 matching lines @@
 
 bool ZygoteMain(const MainFunctionParams& params) {
 #if !defined(CHROMIUM_SELINUX)
   g_am_zygote_or_renderer = true;
 #endif
 
 #if defined(SECCOMP_SANDBOX)
   // The seccomp sandbox needs access to files in /proc, which might be denied
   // after one of the other sandboxes have been started. So, obtain a suitable
   // file handle in advance.
-  if (CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox)) {
+  if (switches::SeccompSandboxEnabled()) {
     g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);
     if (g_proc_fd < 0) {
       LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "
                     "sandboxing.";
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   // Turn on the SELinux or SUID sandbox
   if (!EnterSandbox()) {
     LOG(FATAL) << "Failed to enter sandbox. Fail safe abort. (errno: "
                << errno << ")";
     return false;
   }
 
 #if defined(SECCOMP_SANDBOX)
   // The seccomp sandbox will be turned on when the renderers start. But we can
   // already check if sufficient support is available so that we only need to
   // print one error message for the entire browser session.
-  if (g_proc_fd >= 0 &&
-      CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompSandbox)) {
+  if (g_proc_fd >= 0 && switches::SeccompSandboxEnabled()) {
     if (!SupportsSeccompSandbox(g_proc_fd)) {
       // There are a good number of users who cannot use the seccomp sandbox
       // (e.g. because their distribution does not enable seccomp mode by
       // default). While we would prefer to deny execution in this case, it
       // seems more realistic to continue in degraded mode.
       LOG(ERROR) << "WARNING! This machine lacks support needed for the "
                     "Seccomp sandbox. Running renderers with Seccomp "
                     "sandboxing disabled.";
     } else {
       LOG(INFO) << "Enabling experimental Seccomp sandbox.";
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote;
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }