[ios blink] Disable restrictive sandbox if --no-sandbox is passed

We can't completely disable all sandboxing with --no-sandbox like on
other platforms, but we can choose to not apply the restrictive sandbox.

Change-Id: I35de73b5b15eae0bdb49290218aba2cda8d5dd2f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6382696
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Auto-Submit: Sunny Sachanandani <sunnyps@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1436343}

content/app/ios/appex/BUILD.gn

@@ -23,6 +23,7 @@ source_set("child_process_bridge") {
     ":child_process_bridge_header",
     "//base",
     "//gpu/ipc/common",
+    "//sandbox/policy",
   ]
   frameworks = [ "Foundation.framework" ]
 }

content/app/ios/appex/child_process_bridge.mm

@@ -15,9 +15,11 @@
 #include "base/apple/bundle_locations.h"
 #include "base/apple/mach_port_rendezvous.h"
 #include "base/check_op.h"
+#include "base/command_line.h"
 #include "base/system/sys_info.h"
 #include "content/app/ios/appex/child_process_sandbox.h"
 #include "gpu/ipc/common/ios/be_layer_hierarchy_transport.h"
+#include "sandbox/policy/switches.h"
 
 class GPUProcessTransport;
 
@@ -113,6 +115,11 @@ extern "C" IOS_INIT_EXPORT void ChildProcessHandleNewConnection(
 namespace content {
 
 void ChildProcessEnterSandbox() {
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
+          sandbox::policy::switches::kNoSandbox)) {
+    return;
+  }
+
   base::SysInfo::IsLowEndDevice();
 
   // Request the local time before entering the sandbox since that causes a