Initialize NSS with no DB in the renderer process

content/browser/zygote_main_linux.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sys/epoll.h>
 #include <sys/prctl.h>
 #include <sys/signal.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #if defined(CHROMIUM_SELINUX)
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #endif
 
 #include "content/browser/zygote_host_linux.h"
 
+#include "base/base64.h"
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
 #include "base/file_path.h"
 #include "base/global_descriptors_posix.h"
 #include "base/hash_tables.h"
 #include "base/linux_util.h"
+#include "base/nss_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
 #include "base/rand_util.h"
 #include "base/scoped_ptr.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "chrome/common/chrome_descriptors.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/font_config_ipc_linux.h"
@@ skipping 552 matching lines @@
   // ICU DateFormat class (used in base/time_format.cc) needs to get the
   // Olson timezone ID by accessing the zoneinfo files on disk. After
   // TimeZone::createDefault is called once here, the timezone ID is
   // cached and there's no more need to access the file system.
   scoped_ptr<icu::TimeZone> zone(icu::TimeZone::createDefault());
 
   FilePath module_path;
   if (PathService::Get(base::DIR_MODULE, &module_path))
     media::InitializeMediaLibrary(module_path);
 
+  // Remoting requires NSS to function properly. It is not used for other
+  // reasons so load NSS only if remoting is enabled.
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kEnableRemoting)) {
+    // We are going to fork to engage the sandbox and we have not loaded
+    // any security modules so it is safe to disable the fork check in NSS.
+    base::DisableNSSForkCheck();
+
+    // Initialize NSPR and NSS so that we load the necessary library files
+    // before we enter the sandbox.
+    base::EnsureNSPRInit();

[wtc, 2011/03/15 00:21:45]

Remove this EnsureNSPRInit call.

+    base::EnsureNSSNoDBInit();
+  }
+
   // Ensure access to the Pepper plugins before the sandbox is turned on.
   PepperPluginRegistry::PreloadModules();
 }
 
 #if !defined(CHROMIUM_SELINUX)
 static bool EnterSandbox() {
   // The SUID sandbox sets this environment variable to a file descriptor
   // over which we can signal that we have completed our startup and can be
   // chrooted.
   const char* const sandbox_fd_string = getenv("SBX_D");
@@ skipping 134 matching lines @@
       VLOG(1) << "Enabling experimental Seccomp sandbox.";
       sandbox_flags |= ZygoteHost::kSandboxSeccomp;
     }
   }
 #endif  // SECCOMP_SANDBOX
 
   Zygote zygote(sandbox_flags);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }