Linux: optionally run <argv0>-renderer.

chrome/browser/renderer_host/browser_render_process_host.cc

Index: chrome/browser/renderer_host/browser_render_process_host.cc
diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc
index c694fdddbf7469d8dcbf7078bfd062e0c627679f..19c1b1fa0584470789008f650aeb8d9a0389c7d2 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.cc
+++ b/chrome/browser/renderer_host/browser_render_process_host.cc
@@ -12,6 +12,7 @@
 #include <algorithm>
 
 #include "base/command_line.h"
+#include "base/file_util.h"
 #include "base/linked_ptr.h"
 #include "base/logging.h"
 #include "base/path_service.h"
@@ -116,7 +117,23 @@ const int32 kInvalidViewID = -1;
 // Get the path to the renderer executable, which is the same as the
 // current executable.
 bool GetRendererPath(std::wstring* cmd_line) {
+#if defined(OS_LINUX)
+  // Ubuntu has AppArmor, which triggers based on binary names.  Since we only
+  // want to sandbox the renderers they need to have a different name than the
+  // main Chromium binary (although it can just be a hard link to the same
+  // file). Thus, we probe to see if "<argv0>-renderer" exists. If so, we run
+  // that.
+
+  if (!PathService::Get(base::FILE_EXE, cmd_line))
+    return false;
+  std::wstring alt_path = *cmd_line;
+  alt_path.append(L"-renderer");
+  if (file_util::PathExists(alt_path))
+    *cmd_line = alt_path;
+  return true;
+#else
   return PathService::Get(base::FILE_EXE, cmd_line);
+#endif
 }
 
 BrowserRenderProcessHost::BrowserRenderProcessHost(Profile* profile)