-
Peter Beverloo authored
This CL attempts to enable the seccomp-bpf sandbox, as we do for renderer processes on Android, for the new photo picker when it is supported by the device. The implementation loads the native library as if it's a Chrome child process, and then calls the native InitializePhotoPickerSandbox function to initialize the sandbox when available. UMA is logged. Because we end up loading the native library, this does create for an additional delay of ~700ms before the first photo is shown. There may be optimization opportunities by separating out the sandbox code in a separate shared library, but this is made difficult by (a) our build system using the crazy linker, and (b) the dependencies of //sandbox on //base. I've verified that the sandbox is enabled on two devices running different versions of Android, both by printing the status of the SeccompStarterAndroid, and through the following command: $ adb shell cat /proc/18424/status | grep Seccomp Seccomp: 2 (Where "2" means that seccomp-bpf is enabled.) BUG=730066 Change-Id: I46e608bad8f69d3cf862c0953361c50f4c65c45c Reviewed-on: https://chromium-review.googlesource.com/577853Reviewed-by:
David Trainor <dtrainor@chromium.org> Reviewed-by:
Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by:
Bo Liu <boliu@chromium.org> Reviewed-by:
Ilya Sherman <isherman@chromium.org> Commit-Queue: Peter Beverloo <peter@chromium.org> Cr-Commit-Position: refs/heads/master@{#488643}
83622231
