# HG changeset patch
# User Jed Davis <jld@mozilla.com>
# Date 1516155051 25200
# Node ID 46c4a5ce6e0f8e13363e96a22e74912eed10bd00
# Parent  e2b18bbf13209591aeba471af7582964d7ab4705
Bug 1213998 - Apply chroot() to sandboxed content processes on Linux. r=gcp

MozReview-Commit-ID: DGepECmw3pq

diff --git a/security/sandbox/linux/launch/SandboxLaunch.cpp b/security/sandbox/linux/launch/SandboxLaunch.cpp
--- a/security/sandbox/linux/launch/SandboxLaunch.cpp
+++ b/security/sandbox/linux/launch/SandboxLaunch.cpp
@@ -215,16 +215,17 @@ SandboxLaunchPrepare(GeckoProcessType aT
     break;
 #endif
 #ifdef MOZ_CONTENT_SANDBOX
   case GeckoProcessType_Content:
     // TODO: CLONE_NEWIPC (bug 1376910) if not fglrx and level >= 1,
     // once the XShm detection shim is fixed.
 
     if (level >= 4) {
+      canChroot = true;
       // Unshare network namespace if allowed by graphics; see
       // function definition above for details.  (The display
       // local-ness is cached because it won't change.)
       static const bool isDisplayLocal = IsDisplayLocal();
       if (isDisplayLocal) {
         flags |= CLONE_NEWNET;
       }
     }