Zygote: Initialize NSS fully

content/zygote/zygote_main_linux.cc

Index: content/zygote/zygote_main_linux.cc
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index a710dab2021a8f832b64d7f24b5216744a878510..c2223fceedc1051e3b3c81c06dc82da614f602fc 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -490,6 +490,24 @@ bool ZygoteMain(const MainFunctionParams& params,
 
   int sandbox_flags = linux_sandbox->GetStatus();
 
+#if defined(USE_NSS)
+  // Initialize NSS. We don't want to do this pre-sandbox because it's not well
+  // defined what venues of attacks it could create.
+  //
+  // In addition to the benfit of doing this initialization only once, (it will
+  // be inherited), this is a good warm-up before we enable our next layer of
+  // sandbox, e.g. seccomp-bpf.
+
+  // We will soon fork, but we haven't loaded any security module.
+  crypto::DisableNSSForkCheck();
+  // The setuid sandbox would prevent opening user security modules anyway,
+  // but it's more correct to tell NSS to not do it.
+  // Loading user security modules would have security implications.
+  crypto::ForceNSSNoDBInit();
+  // Initialize NSS, every child process will benefit from it.
+  crypto::EnsureNSSInit();
+#endif
+
   Zygote zygote(sandbox_flags, forkdelegate);
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();