Bug 1199413 - Fix MOZ_DISABLE_GMP_SANDBOX so it disables all the sandboxing. r=kang

Bonus fix: don't start the chroot helper unless we're going to use
it.  For this to matter, you'd need a system with unprivileged user
namespaces but no seccomp-bpf (or fake it with env vars) *and* to set
media.gmp.insecure.allow, so this is more to set a good example for
future changes to this code than for functional reasons.

security/sandbox/linux/Sandbox.cpp

@@ -523,6 +523,7 @@ SandboxEarlyInit(GeckoProcessType aType, bool aIsNuwa)
   }
 
   MOZ_RELEASE_ASSERT(IsSingleThreaded());
+  const SandboxInfo info = SandboxInfo::Get();
 
   // Which kinds of resource isolation (of those that need to be set
   // up at this point) can be used by this process?
@@ -536,9 +537,13 @@ SandboxEarlyInit(GeckoProcessType aType, bool aIsNuwa)
     return;
 #ifdef MOZ_GMP_SANDBOX
   case GeckoProcessType_GMPlugin:
+    if (!info.Test(SandboxInfo::kEnabledForMedia)) {
+      break;
+    }
     canUnshareNet = true;
     canUnshareIPC = true;
-    canChroot = true;
+    // Need seccomp-bpf to intercept open().
+    canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
     break;
 #endif
     // In the future, content processes will be able to use some of
@@ -554,7 +559,6 @@ SandboxEarlyInit(GeckoProcessType aType, bool aIsNuwa)
   }
 
   // If capabilities can't be gained, then nothing can be done.
-  const SandboxInfo info = SandboxInfo::Get();
   if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
     return;
   }