From 4634e2a332645f7a270edf55ccabd405c90d6092 Mon Sep 17 00:00:00 2001
From: Jed Davis <jld@mozilla.com>
Date: Wed, 28 Jun 2017 07:11:55 -0700
Subject: [PATCH] Bug 1376910 - Unshare the SysV IPC namespace in content
 processes. r=gcp

MozReview-Commit-ID: 1Uajj68rEuC

--HG--
extra : rebase_source : 5a6c86a104911146cfb56243dec8016fca536dc3
---
 security/sandbox/linux/Sandbox.cpp | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
index 87be2ecbf8e2..2b473bf408d3 100644
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -565,6 +565,7 @@ SandboxEarlyInit(GeckoProcessType aType)
   case GeckoProcessType_Default:
     MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
     return;
+
 #ifdef MOZ_GMP_SANDBOX
   case GeckoProcessType_GMPlugin:
     if (!info.Test(SandboxInfo::kEnabledForMedia)) {
@@ -576,8 +577,18 @@ SandboxEarlyInit(GeckoProcessType aType)
     canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
     break;
 #endif
-    // In the future, content processes will be able to use some of
-    // these.
+
+#ifdef MOZ_CONTENT_SANDBOX
+  case GeckoProcessType_Content:
+    if (!info.Test(SandboxInfo::kEnabledForContent)) {
+      break;
+    }
+#ifndef MOZ_ALSA
+    canUnshareIPC = true;
+#endif
+    break;
+#endif
+
   default:
     // Other cases intentionally left blank.
     break;