Add check for file system access to the sandbox.

chrome/common/chrome_content_client.cc

Index: chrome/common/chrome_content_client.cc
diff --git a/chrome/common/chrome_content_client.cc b/chrome/common/chrome_content_client.cc
index 75bd28d982d414eb9cedce97e57716b0248efff7..96aec770098bd90c478e296fe5a323f0e9c46016 100644
--- a/chrome/common/chrome_content_client.cc
+++ b/chrome/common/chrome_content_client.cc
@@ -5,6 +5,7 @@
 #include "chrome/common/chrome_content_client.h"
 
 #include <stdint.h>
+#include <sys/stat.h>
 
 #include <map>
 #include <memory>
@@ -301,9 +302,9 @@ void AddPepperFlashFromCommandLine(
 #if defined(OS_LINUX)
 // This function tests if DIR_USER_DATA can be accessed, as a simple check to

[rickyz (no longer on Chrome), 2016/09/22 17:31:15]

Update the comment as well.

 // see if the zygote has been sandboxed at this point.
-bool IsUserDataDirAvailable() {
-  base::FilePath user_data_dir;
-  return PathService::Get(chrome::DIR_USER_DATA, &user_data_dir);
+bool IsSandboxed() {
+  struct stat st;
+  return stat("/proc/self/exe", &st) == -1;
 }
 
 // This method is used on Linux only because of architectural differences in how
@@ -493,7 +494,7 @@ void ChromeContentClient::AddPepperPlugins(
   // is not always available. If it is not available, do not try and load any
   // flash plugin. The flash player, if any, preloaded before the sandbox
   // initialization will continue to be used.
-  if (!IsUserDataDirAvailable()) {
+  if (IsSandboxed()) {
     return;
   }
 #endif  // defined(OS_LINUX)