Index: content/browser/zygote_host/zygote_host_impl_linux.h |
diff --git a/content/browser/zygote_host/zygote_host_impl_linux.h b/content/browser/zygote_host/zygote_host_impl_linux.h |
index e18e098088bfa04f0e5e59aac515c84c3646a43e..9c67e71756f67fad6028c852d2587ba0b1bb4e71 100644 |
--- a/content/browser/zygote_host/zygote_host_impl_linux.h |
+++ b/content/browser/zygote_host/zygote_host_impl_linux.h |
@@ -82,6 +82,12 @@ class CONTENT_EXPORT ZygoteHostImpl : public ZygoteHost { |
ssize_t ReadReply(void* buf, size_t buflen); |
+ // Whether we should use the namespace sandbox instead of the setuid sandbox. |
+ // Currently, the namespace sandbox is enabled when sandboxing is not |
+ // disabled, the enable-namespace-sandbox switch is set, user namespaces are |
+ // supported, and seccomp BPF is supported. |
+ bool ShouldUseNamespaceSandbox(); |
+ |
int control_fd_; // the socket to the zygote |
// A lock protecting all communication with the zygote. This lock must be |
// acquired before sending a command and released after the result has been |