linux: enable seccomp sandbox by default

chrome/common/chrome_switches.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/chrome_switches.h"
 
 #include "base/base_switches.h"
+#include "base/command_line.h"
 
 namespace switches {
 
 // -----------------------------------------------------------------------------
 // Can't find the switch you are looking for? try looking in
 // base/base_switches.cc instead.
 // -----------------------------------------------------------------------------
 
 // Activate (make foreground) myself on launch.  Helpful when Chrome
 // is launched on the command line (e.g. by Selenium).  Only needed on Mac.
@@ skipping 262 matching lines @@
 // Enable Native Web Worker support.
 const char kEnableNativeWebWorkers[]        = "enable-native-web-workers";
 
 // Enable Privacy Blacklists.
 const char kEnablePrivacyBlacklists[]       = "enable-privacy-blacklists";
 
 // Turns on the accessibility in the renderer.  Off by default until
 // http://b/issue?id=1432077 is fixed.
 const char kEnableRendererAccessibility[]   = "enable-renderer-accessibility";
 
-// Enable the seccomp sandbox (Linux only)
-const char kEnableSeccompSandbox[]          = "enable-seccomp-sandbox";
-
 // Enables StatsTable, logging statistics to a global named shared memory table.
 const char kEnableStatsTable[]              = "enable-stats-table";
 
 // Enable syncing browser data to a Google Account.
 const char kEnableSync[]                    = "enable-sync";
 
 // Enable syncing browser autofill.
 const char kEnableSyncAutofill[]            = "enable-sync-autofill";
 
 // Enable syncing browser bookmarks.
@@ skipping 573 matching lines @@
 
 // Makes sure any sync login attempt will fail with an error.  (Only
 // used for testing.)
 const char kInvalidateSyncLogin[]           = "invalidate-sync-login";
 
 // Makes sure any sync xmpp login attempt will fail with an error.  (Only
 // used for testing.)
 const char kInvalidateSyncXmppLogin[]       = "invalidate-sync-xmpp-login";
 #endif
 
+// USE_SECCOMP_SANDBOX controls whether the seccomp sandbox is opt-in or -out.
+// TODO(evan): unify all of these once we turn the seccomp sandbox always
+// on.  Also remove the #include of command_line.h above.
+#if defined(USE_SECCOMP_SANDBOX)
+// Disable the seccomp sandbox (Linux only)
+const char kDisableSeccompSandbox[]         = "disable-seccomp-sandbox";
+#else
+// Enable the seccomp sandbox (Linux only)
+const char kEnableSeccompSandbox[]          = "enable-seccomp-sandbox";
+#endif
+
+bool SeccompSandboxEnabled() {
+#if defined(USE_SECCOMP_SANDBOX)
+  return !CommandLine::ForCurrentProcess()->HasSwitch(
+             switches::kDisableSeccompSandbox);
+#else
+  return CommandLine::ForCurrentProcess()->HasSwitch(
+             switches::kEnableSeccompSandbox);
+#endif
+}
+
 // -----------------------------------------------------------------------------
 // DO NOT ADD YOUR CRAP TO THE BOTTOM OF THIS FILE.
 //
 // You were going to just dump your switches here, weren't you? Instead,
 // please put them in alphabetical order above, or in order inside the
 // appropriate ifdef at the bottom. The order should match the header.
 // -----------------------------------------------------------------------------
 
 }  // namespace switches