Ozone: Improve sandboxing documentation

docs/ozone_overview.md

 # Ozone Overview
 
 Ozone is a platform abstraction layer beneath the Aura window system that is
 used for low level input and graphics. Once complete, the abstraction will
 support underlying systems ranging from embedded SoC targets to new
 X11-alternative window systems on Linux such as Wayland or Mir to bring up Aura
 Chromium by providing an implementation of the platform interface.
 
 ## Guiding Principles
 
@@ skipping 112 matching lines @@
 To build `chrome`, do this from the `src` directory:
 
 ``` shell
 gn args out/OzoneChromeOS --args="use_ozone=true target_os=\"chromeos\""
 ninja -C out/OzoneChromeOS chrome
 ```
 
 Then to run for example the X11 platform:
 
 ``` shell
-./out/OzoneChromeOS/chrome --ozone-platform=x11 --disable-setuid-sandbox
+./out/OzoneChromeOS/chrome --ozone-platform=x11
 ```
 
 ### Embedded
 
 The following targets are currently working for embedded builds:
 
 * `content_shell`
 * various unit tests
 
 The following targets are currently NOT supported:
 
 * `ash_shell_with_content`
 * `chrome`
 
 To build `content_shell`, do this from the `src` directory:
 
 ``` shell
 gn args out/OzoneEmbedded --args="use_ozone=true toolkit_views=false"
 ninja -C out/OzoneEmbedded content_shell
 ```
 
 Then to run for example the headless platform:
 
 ``` shell
-./out/OzoneEmbedded/content_shell --disable-setuid-sandbox \
-                                  --ozone-platform=headless \
+./out/OzoneEmbedded/content_shell --ozone-platform=headless \
                                   --ozone-dump-file=/tmp/
 ```
 
 ### Linux Desktop - ([waterfall](https://build.chromium.org/p/chromium.fyi/builders/Ozone%20Linux/))
 Support for Linux Desktop is currently [in-progress](http://crbug.com/295089).
 
 The following targets are currently working:
 
 * various unit tests
 * `chrome`
 
 To build `chrome`, do this from the `src` directory:
 
 ``` shell
 gn args out/OzoneLinuxDesktop --args="use_ozone=true enable_package_mash_services=true"
 ninja -C out/OzoneLinuxDesktop chrome
 ```
 Then to run for example the X11 platform:
 
 ``` shell
 ./out/OzoneLinuxDesktop/chrome --ozone-platform=x11 \
-                               --disable-setuid-sandbox \
                                --mash
 ```
 
 Note: You may need to apply [this patch](https://codereview.chromium.org/2485673002/) to avoid missing ash resources during chrome execution.
 
 ### GN Configuration notes
 
 You can turn properly implemented ozone platforms on and off by setting the
 corresponding flags in your GN configuration. For example
 `ozone_platform_headless=false ozone_platform_gbm=false` will turn off the
 headless and DRM/GBM platforms.
 This will result in a smaller binary and faster builds. To turn ALL platforms
 off by default, set `ozone_auto_platforms=false`.
 
 You can also specify a default platform to run by setting the `ozone_platform`
 build parameter. For example `ozone_platform="x11"` will make X11 the
 default platform when `--ozone-platform` is not passed to the program.
 If `ozone_auto_platforms` is true then `ozone_platform` is set to `headless`
 by default.
 
 ## Running with Ozone
 
 Specify the platform you want to use at runtime using the `--ozone-platform`
-flag. Disabling the setuid sandbox may be required during development.
-
-For example, to run content_shell with the GBM platform:
+flag. For example, to run `content_shell` with the GBM platform:
 
 ``` shell
-content_shell --disable-setuid-sandbox --ozone-platform=gbm
+content_shell --ozone-platform=gbm
 ```
 
 Caveats:
 
 * `content_shell` always runs at 800x600 resolution.
 * For the GBM platform, you may need to terminate your X server (or any other
   display server) prior to testing.
+* During development, you may need to configure
+  [sandboxing](linux_sandboxing.md) or to disable it.

[tonikitoo, 2016/11/09 15:02:34]

"you may need to configure or disable [sandboxing](linux_sandboxing.md)" ?

also, for a quick in-place reference, maybe list --disable-setuid-sandbox or
--no-sandbox here explicitly in this paragraph?

[fwang, 2016/11/09 15:09:38]

I'd prefer to not discuss sandboxing at all on this page, as it is likely to
change again (for example suid sandboxing will go away). People can find the
latest up-to-date doc on the referred page.

 
 ## Ozone Platforms
 
 ### Headless
 
 This platform
 draws graphical output to a PNG image (no GPU support; software rendering only)
 and will not output to the screen. You can set
 the path of the directory where to output the images
 by specifying `--ozone-dump-file=/path/to/output-directory` on the
 command line:
 
 ``` shell
-content_shell --disable-setuid-sandbox \
-              --ozone-platform=headless \
+content_shell --ozone-platform=headless \
               --ozone-dump-file=/tmp/
 ```
 
 ### DRM/GBM
 
 This is Linux direct rending with acceleration via mesa GBM & linux DRM/KMS
 (EGL/GLES2 accelerated rendering & modesetting in GPU process) and is in
 production use on [ChromeOS](http://www.chromium.org/chromium-os).
 
 Note that all ChromeOS builds of Chrome will compile and attempt to use this.
@@ skipping 20 matching lines @@
 
 Below are some quick build & run instructions. It is assumed that you are
 launching `chrome` from a Wayland environment such as `weston`. Apply
 [this patch](https://codereview.chromium.org/2485673002/) and execute the
 following commands:
 
 ``` shell
 gn args out/OzoneWayland --args="use_ozone=true enable_package_mash_services=true"
 ninja -C out/OzoneWayland chrome
 ./out/OzoneWayland/chrome --ozone-platform=wayland \
-                          --mash \
-                          --disable-setuid-sandbox
+                          --mash
 ```
 
 ### Caca
 
 This platform
 draws graphical output to text using
 [libcaca](http://caca.zoy.org/wiki/libcaca)
 (no GPU support; software
 rendering only). In case you ever wanted to test embedded content shell on
 tty.
 It has been
 [removed from the tree](https://codereview.chromium.org/2445323002/) and is no
 longer maintained but you can
 [build it as an out-of-tree port](https://github.com/fred-wang/ozone-caca).
 
 Alternatively, you can try the latest revision known to work. First, install
 libcaca shared library and development files. Next, move to the git revision
 `0e64be9cf335ee3bea7c989702c5a9a0934af037`
 (you will probably need to synchronize the build dependencies with
 `gclient sync --with_branch_heads`). Finally, build and run the caca platform
 with the following commands:
 
 ``` shell
 gn args out/OzoneCaca \
         --args="use_ozone=true ozone_platform_caca=true use_sysroot=false ozone_auto_platforms=false toolkit_views=false"
 ninja -C out/OzoneCaca content_shell
-./out/OzoneCaca/content_shell --disable-setuid-sandbox
+./out/OzoneCaca/content_shell
 ```
 
   Note: traditional TTYs are not the ideal browsing experience.<br/>
   ![Picture of a workstation using Ozone/caca to display the Google home page in a text terminal](./images/ozone_caca.jpg)
 
 ## Communication
 
 There is a public mailing list:
 [ozone-dev@chromium.org](https://groups.google.com/a/chromium.org/forum/#!forum/ozone-dev)