When compiling with ENABLE_SECCOMP_FILTERS, each WebKitWebProcess forks off a second WebKitWebProcess to broker system calls for the original WebKitWebProcess. This occurs relatively late, after memory is allocated for various purposes that that the broker process doesn't need. Each broker process uses 12.1 MiB (on the GTK+ port), which would be OK if the broker was shared between all web processes, but it's too much when there is a separate broker for each web process. There are various things we could try to do to fix this: * fork off the broker process as early as possible. In particular, ChildProcessMain<ChildProcessType, ChildProcessMainType> calls InitializeWebKit2(), which we probably want to avoid if at all possible. * exec the broker process after forking, so it only uses as much memory as it requires. (This has another advantage: the broker process would not confusingly be named WebKitWebProcess when viewed in top or System Monitor.) We'd need to find some way to get the syscall policy to the broker via IPC before the "real" web process applies the policy. * Have a single broker handle system calls for all other WebKit processes. This would also require transmitting the syscall policy via IPC, and it might degrade performance. (At least on the GTK+ port, this might well be a good tradeoff.)