Bug 1376910 - Unshare the SysV IPC namespace in content processes. r=gcp

MozReview-Commit-ID: 1Uajj68rEuC

--HG--
extra : rebase_source : 5a6c86a104911146cfb56243dec8016fca536dc3

security/sandbox/linux/Sandbox.cpp

@@ -565,6 +565,7 @@ SandboxEarlyInit(GeckoProcessType aType)
   case GeckoProcessType_Default:
     MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
     return;
+
 #ifdef MOZ_GMP_SANDBOX
   case GeckoProcessType_GMPlugin:
     if (!info.Test(SandboxInfo::kEnabledForMedia)) {
@@ -576,8 +577,18 @@ SandboxEarlyInit(GeckoProcessType aType)
     canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
     break;
 #endif
-    // In the future, content processes will be able to use some of
-    // these.
+
+#ifdef MOZ_CONTENT_SANDBOX
+  case GeckoProcessType_Content:
+    if (!info.Test(SandboxInfo::kEnabledForContent)) {
+      break;
+    }
+#ifndef MOZ_ALSA
+    canUnshareIPC = true;
+#endif
+    break;
+#endif
+
   default:
     // Other cases intentionally left blank.
     break;