Initialize NSS with no DB in the renderer process

content/browser/zygote_main_linux.cc

Index: content/browser/zygote_main_linux.cc
diff --git a/content/browser/zygote_main_linux.cc b/content/browser/zygote_main_linux.cc
index 47932817e82a7ec24dcfde47d0e168bc3fb5c11b..33a1d56ca38f3827a0ad1752075b3e458ec580f7 100644
--- a/content/browser/zygote_main_linux.cc
+++ b/content/browser/zygote_main_linux.cc
@@ -21,6 +21,7 @@
 
 #include "content/browser/zygote_host_linux.h"
 
+#include "base/base64.h"

[wtc, 2011/03/15 21:37:20]

Nit: why does the new code need "base/base64.h"?

 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/eintr_wrapper.h"
@@ -28,6 +29,7 @@
 #include "base/global_descriptors_posix.h"
 #include "base/hash_tables.h"
 #include "base/linux_util.h"
+#include "base/nss_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/process_util.h"
@@ -600,6 +602,20 @@ static void PreSandboxInit() {
   if (PathService::Get(base::DIR_MODULE, &module_path))
     media::InitializeMediaLibrary(module_path);
 
+  // Remoting requires NSS to function properly. It is not used for other
+  // reasons so load NSS only if remoting is enabled.
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+  if (command_line.HasSwitch(switches::kEnableRemoting)) {
+    // We are going to fork to engage the sandbox and we have not loaded
+    // any security modules so it is safe to disable the fork check in NSS.
+    base::DisableNSSForkCheck();
+
+    // Initialize NSS so that we load the necessary library files
+    // before we enter the sandbox.
+    base::ForceNSSNoDBInit();
+    base::EnsureNSSInit();
+  }
+
   // Ensure access to the Pepper plugins before the sandbox is turned on.
   PepperPluginRegistry::PreloadModules();
 }