chrome/browser/zygote_main_linux.cc - Issue 647017: linux: enable seccomp sandbox by default

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/zygote_main_linux.cc

Issue 647017: linux: enable seccomp sandbox by default (Closed)

Patch Set: better Created 10 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/zygote_main_linux.cc

diff --git a/chrome/browser/zygote_main_linux.cc b/chrome/browser/zygote_main_linux.cc

index 009ba00d9dc552661b8732cef5c0cb04c68f038f..a526d971a3343562ea371003a7750f21a3274149 100644

--- a/chrome/browser/zygote_main_linux.cc

+++ b/chrome/browser/zygote_main_linux.cc

@@ -607,8 +607,8 @@ bool ZygoteMain(const MainFunctionParams& params) {

// The seccomp sandbox needs access to files in /proc, which might be denied

// after one of the other sandboxes have been started. So, obtain a suitable

// file handle in advance.

- if (CommandLine::ForCurrentProcess()->HasSwitch(

- switches::kEnableSeccompSandbox)) {

+ if (!CommandLine::ForCurrentProcess()->HasSwitch(

+ switches::kDisableSeccompSandbox)) {

g_proc_fd = open("/proc", O_DIRECTORY | O_RDONLY);

if (g_proc_fd < 0) {

LOG(ERROR) << "WARNING! Cannot access \"/proc\". Disabling seccomp "

@@ -629,16 +629,16 @@ bool ZygoteMain(const MainFunctionParams& params) {

// already check if sufficient support is available so that we only need to

// print one error message for the entire browser session.

if (g_proc_fd >= 0 &&

- CommandLine::ForCurrentProcess()->HasSwitch(

- switches::kEnableSeccompSandbox)) {

+ !CommandLine::ForCurrentProcess()->HasSwitch(

+ switches::kDisableSeccompSandbox)) {

if (!SupportsSeccompSandbox(g_proc_fd)) {

// There are a good number of users who cannot use the seccomp sandbox

// (e.g. because their distribution does not enable seccomp mode by

// default). While we would prefer to deny execution in this case, it

// seems more realistic to continue in degraded mode.

- LOG(ERROR) << "WARNING! This machine lacks support needed for the "

- "Seccomp sandbox. Running renderers with Seccomp "

- "sandboxing disabled.";

+ LOG(FATAL) << "WARNING! This machine lacks support needed for the "

+ "Seccomp sandbox. Please report your system specs on "

+ "http://code.google.com/p/chromium/issues/detail?id=36133";

} else {

LOG(INFO) << "Enabling experimental Seccomp sandbox.";

}

« no previous file with comments | « chrome/browser/zygote_host_linux.cc ('k') | chrome/common/chrome_switches.h » ('j') | no next file with comments »