There are Linux kernel changes that have been sent upstream (but not yet accepted) from Chromium to allow atomically applying seccomp filters to all threads in a process: https://lkml.org/lkml/2014/4/17/637 Chromium already has code to do this, intended for use on Android: http://git.chromium.org/gitweb/?p=chromium/src.git;a=commitdiff;h=8c215f5b965930c1faa004834491e4e11c6b26d8 It would be nice if we could use this where available (and, perhaps, backport the patches to our own seccomp-enabled B2G devices) instead of our current signal-based approach.

Move process sandboxing bugs to the new Bugzilla component. (Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)

WIP; tested locally on nexus5-l and Ubuntu 14.04; will r? when/if it passes Try.

The last patch made chrooting not work, which is bad. This fixes that, does a little cleanup, and adds some more assertions.