Move the SeccompSupportDetector to be in-process.

Some of this work was previously done in the utility process. Since processes
are expensive on Android, and doing so hasn't helped defend against detection
issues, this is a simpler solution.

BUG=490948,468455
R=leecam@chromium.org,thestig@chromium.org
TBR=enne@chromium.org

Review URL: https://codereview.chromium.org/1161053004

Cr-Commit-Position: refs/heads/master@{#333372}

11 files changed, 41 insertions, 114 deletions

diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
index 30127a3..74971e6 100644
--- a/chrome/browser/BUILD.gn
+++ b/chrome/browser/BUILD.gn
@@ -645,6 +645,7 @@ source_set("browser") {
 
     if (use_seccomp_bpf) {
       defines += [ "USE_SECCOMP_BPF" ]
+      deps += [ "//sandbox/linux:seccomp_bpf" ]
     }
   }
 
diff --git a/chrome/browser/android/DEPS b/chrome/browser/android/DEPS
index 2b8a00e..1b7b362 100644
--- a/chrome/browser/android/DEPS
+++ b/chrome/browser/android/DEPS
@@ -4,5 +4,6 @@ include_rules = [
   "+components/devtools_http_handler",
   "+components/service_tab_launcher",
   "+components/web_contents_delegate_android",
-  "+cc/layers/layer.h"
+  "+cc/layers/layer.h",
+  "+sandbox/linux/seccomp-bpf/sandbox_bpf.h",
 ]
diff --git a/chrome/browser/android/seccomp_support_detector.cc b/chrome/browser/android/seccomp_support_detector.cc
index d53911b..30581cc 100644
--- a/chrome/browser/android/seccomp_support_detector.cc
+++ b/chrome/browser/android/seccomp_support_detector.cc
@@ -10,16 +10,21 @@
 #include "base/message_loop/message_loop_proxy.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/metrics/sparse_histogram.h"
-#include "chrome/common/chrome_utility_messages.h"
-#include "chrome/grit/generated_resources.h"
 #include "content/public/browser/browser_thread.h"
-#include "content/public/browser/utility_process_host.h"
-#include "ui/base/l10n/l10n_util.h"
+
+#if defined(USE_SECCOMP_BPF)
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#endif
 
 using content::BrowserThread;
 
 enum AndroidSeccompStatus {
-  DETECTION_FAILED,  // The process crashed during detection.
+  // DETECTION_FAILED was formerly used when probing for seccomp was done
+  // out-of-process. There does not appear to be a gain in doing so, as
+  // explained in the comment in DetectSeccomp(). This enum remains for
+  // historical reasons.
+  DETECTION_FAILED_OBSOLETE,  // The process crashed during detection.
+
   NOT_SUPPORTED,     // Kernel has no seccomp support.
   SUPPORTED,         // Kernel has seccomp support.
   LAST_STATUS
@@ -28,12 +33,13 @@ enum AndroidSeccompStatus {
 // static
 void SeccompSupportDetector::StartDetection() {
   // This is instantiated here, and then ownership is maintained by the
-  // Closure objects when the object is being passed between threads. A
-  // reference is also taken by the UtilityProcessHost, which will release
-  // it when the process exits.
+  // Closure objects when the object is being passed between threads. When
+  // the last Closure runs, it will delete this.
   scoped_refptr<SeccompSupportDetector> detector(new SeccompSupportDetector());
   BrowserThread::PostBlockingPoolTask(FROM_HERE,
       base::Bind(&SeccompSupportDetector::DetectKernelVersion, detector));
+  BrowserThread::PostBlockingPoolTask(FROM_HERE,
+      base::Bind(&SeccompSupportDetector::DetectSeccomp, detector));
 }
 
 SeccompSupportDetector::SeccompSupportDetector() {
@@ -57,51 +63,23 @@ void SeccompSupportDetector::DetectKernelVersion() {
       UMA_HISTOGRAM_SPARSE_SLOWLY("Android.KernelVersion", version);
     }
   }
-
-#if defined(USE_SECCOMP_BPF)
-  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
-      base::Bind(&SeccompSupportDetector::DetectSeccomp, this));
-#else
-  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
-      base::Bind(&SeccompSupportDetector::OnDetectPrctl, this, false));
-#endif
 }
 
 void SeccompSupportDetector::DetectSeccomp() {
-  DCHECK_CURRENTLY_ON(BrowserThread::IO);
-
-  content::UtilityProcessHost* utility_process_host =
-      content::UtilityProcessHost::Create(
-          this, base::MessageLoopProxy::current());
-  utility_process_host->SetName(l10n_util::GetStringUTF16(
-      IDS_UTILITY_PROCESS_SECCOMP_DETECTOR_NAME));
-  utility_process_host->Send(new ChromeUtilityMsg_DetectSeccompSupport());
-}
-
-void SeccompSupportDetector::OnProcessCrashed(int exit_code) {
-  DCHECK_CURRENTLY_ON(BrowserThread::IO);
-  UMA_HISTOGRAM_ENUMERATION("Android.SeccompStatus.Prctl",
-                            DETECTION_FAILED,
-                            LAST_STATUS);
-}
-
-bool SeccompSupportDetector::OnMessageReceived(const IPC::Message& message) {
-  bool handled = false;
-  IPC_BEGIN_MESSAGE_MAP(SeccompSupportDetector, message)
-    IPC_MESSAGE_HANDLER(ChromeUtilityHostMsg_DetectSeccompSupport_ResultPrctl,
-                        OnDetectPrctl)
-    IPC_MESSAGE_UNHANDLED(handled = false)
-  IPC_END_MESSAGE_MAP()
-  return handled;
-}
+  DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
 
-void SeccompSupportDetector::OnDetectPrctl(bool prctl_supported) {
-  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+#if defined(USE_SECCOMP_BPF)
+  bool prctl_supported = sandbox::SandboxBPF::SupportsSeccompSandbox(
+      sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED);
+#else
+  bool prctl_supported = false;
+#endif
 
   UMA_HISTOGRAM_ENUMERATION("Android.SeccompStatus.Prctl",
                             prctl_supported ? SUPPORTED : NOT_SUPPORTED,
                             LAST_STATUS);
 
-  // The utility process will shutdown after this, and this object will
-  // be deleted when the UtilityProcessHost releases its reference.
+  // Probing for the seccomp syscall can provoke kernel panics in certain LGE
+  // devices. For now, this data will not be collected. In the future, this
+  // should detect SeccompLevel::MULTI_THREADED. http://crbug.com/478478
 }
diff --git a/chrome/browser/android/seccomp_support_detector.h b/chrome/browser/android/seccomp_support_detector.h
index 58d66bd..d74e3fe 100644
--- a/chrome/browser/android/seccomp_support_detector.h
+++ b/chrome/browser/android/seccomp_support_detector.h
@@ -6,35 +6,32 @@
 #define CHROME_BROWSER_ANDROID_SECCOMP_SUPPORT_DETECTOR_H_
 
 #include "base/compiler_specific.h"
-#include "content/public/browser/utility_process_host_client.h"
+#include "base/memory/ref_counted.h"
 
 // This class is used to report via UMA the Android kernel version and
-// level of seccomp-bpf support. The kernel version is read from the blocking
-// thread pool, while seccomp support is tested in a utility process, in case
-// the probing causes a crash.
-class SeccompSupportDetector : public content::UtilityProcessHostClient {
+// level of seccomp-bpf support. The operations are performed on the
+// blocking thread pool.
+class SeccompSupportDetector
+    : public base::RefCountedThreadSafe<SeccompSupportDetector> {
  public:
   // Starts the detection process. This should be called once per browser
   // session. This is safe to call from any thread.
   static void StartDetection();
 
  private:
+  friend class base::RefCountedThreadSafe<SeccompSupportDetector>;
+
   SeccompSupportDetector();
-  ~SeccompSupportDetector() override;
+  ~SeccompSupportDetector();
 
   // Called on the blocking thread pool. This reads the utsname and records
   // the kernel version.
   void DetectKernelVersion();
 
-  // Called on the IO thread. This starts a utility process to detect seccomp.
+  // Called on the blocking thread pool. This tests whether the system
+  // supports PR_SET_SECCOMP.
   void DetectSeccomp();
 
-  // UtilityProcessHostClient:
-  void OnProcessCrashed(int exit_code) override;
-  bool OnMessageReceived(const IPC::Message& message) override;
-
-  void OnDetectPrctl(bool prctl_supported);
-
   DISALLOW_COPY_AND_ASSIGN(SeccompSupportDetector);
 };
 
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 656f052..b7093cd 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -3624,6 +3624,9 @@
           'conditions': [
             ['use_seccomp_bpf==1', {
               'defines': ['USE_SECCOMP_BPF'],
+              'dependencies': [
+                '../sandbox/sandbox.gyp:seccomp_bpf',
+              ],
             }],
           ],
         }],
diff --git a/chrome/chrome_utility.gypi b/chrome/chrome_utility.gypi
index 6b1db2f..76cdbc8 100644
--- a/chrome/chrome_utility.gypi
+++ b/chrome/chrome_utility.gypi
@@ -154,12 +154,6 @@
             'utility/importer/nss_decryptor_system_nss.h',
           ],
         }],
-        ['OS=="android" and use_seccomp_bpf==1', {
-          'dependencies': [
-            '../sandbox/sandbox.gyp:seccomp_bpf',
-          ],
-          'defines': ['USE_SECCOMP_BPF'],
-        }],
         ['enable_extensions==1', {
           'dependencies': [
             '../extensions/extensions.gyp:extensions_utility',
diff --git a/chrome/common/chrome_utility_messages.h b/chrome/common/chrome_utility_messages.h
index aa519cb..f67c63d 100644
--- a/chrome/common/chrome_utility_messages.h
+++ b/chrome/common/chrome_utility_messages.h
@@ -204,13 +204,6 @@ IPC_MESSAGE_CONTROL1(ChromeUtilityMsg_GetSaveFileName,
                      ChromeUtilityMsg_GetSaveFileName_Params /* params */)
 #endif  // defined(OS_WIN)
 
-#if defined(OS_ANDROID)
-// Instructs the utility process to detect support for seccomp-bpf,
-// and the result is reported through
-// ChromeUtilityHostMsg_DetectSeccompSupport_Result.
-IPC_MESSAGE_CONTROL0(ChromeUtilityMsg_DetectSeccompSupport)
-#endif
-
 //------------------------------------------------------------------------------
 // Utility process host messages:
 // These are messages from the utility process to the browser.
@@ -263,10 +256,3 @@ IPC_MESSAGE_CONTROL2(ChromeUtilityHostMsg_GetSaveFileName_Result,
 IPC_MESSAGE_CONTROL1(ChromeUtilityHostMsg_BuildDirectWriteFontCache,
                      base::FilePath /* cache file path */)
 #endif  // defined(OS_WIN)
-
-#if defined(OS_ANDROID)
-// Reply to ChromeUtilityMsg_DetectSeccompSupport to report the level
-// of kernel support for seccomp-bpf.
-IPC_MESSAGE_CONTROL1(ChromeUtilityHostMsg_DetectSeccompSupport_ResultPrctl,
-                     bool /* seccomp prctl supported */)
-#endif
diff --git a/chrome/utility/BUILD.gn b/chrome/utility/BUILD.gn
index fbe9073..803b289 100644
--- a/chrome/utility/BUILD.gn
+++ b/chrome/utility/BUILD.gn
@@ -31,12 +31,7 @@ static_library("utility") {
     "//chrome/common",
   ]
 
-  if (is_android) {
-    if (use_seccomp_bpf) {
-      deps += [ "//sandbox/linux:seccomp_bpf" ]
-      defines += [ "USE_SECCOMP_BPF" ]
-    }
-  } else {
+  if (!is_android) {
     deps += [
       "//chrome/common:mojo_bindings",
       "//net:net_utility_services",
diff --git a/chrome/utility/DEPS b/chrome/utility/DEPS
index fb25cd1..e621c4f 100644
--- a/chrome/utility/DEPS
+++ b/chrome/utility/DEPS
@@ -6,7 +6,6 @@ include_rules = [
   "+components/safe_json_parser",
   "+courgette",
   "+extensions/common",
-  "+sandbox/linux/seccomp-bpf/sandbox_bpf.h",
   "+skia/ext",
   "+media",
   "+third_party/zlib/google",
diff --git a/chrome/utility/chrome_content_utility_client.cc b/chrome/utility/chrome_content_utility_client.cc
index 700e6a0..9671be8 100644
--- a/chrome/utility/chrome_content_utility_client.cc
+++ b/chrome/utility/chrome_content_utility_client.cc
@@ -38,10 +38,6 @@
 #include "third_party/mojo/src/mojo/public/cpp/bindings/strong_binding.h"
 #endif
 
-#if defined(OS_ANDROID) && defined(USE_SECCOMP_BPF)
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#endif
-
 #if defined(OS_WIN)
 #include "chrome/utility/font_cache_handler_win.h"
 #include "chrome/utility/shell_handler_win.h"
@@ -204,10 +200,6 @@ bool ChromeContentUtilityClient::OnMessageReceived(
 #if defined(OS_CHROMEOS)
     IPC_MESSAGE_HANDLER(ChromeUtilityMsg_CreateZipFile, OnCreateZipFile)
 #endif
-#if defined(OS_ANDROID) && defined(USE_SECCOMP_BPF)
-    IPC_MESSAGE_HANDLER(ChromeUtilityMsg_DetectSeccompSupport,
-                        OnDetectSeccompSupport)
-#endif
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
 
@@ -334,21 +326,6 @@ void ChromeContentUtilityClient::OnCreateZipFile(
 }
 #endif  // defined(OS_CHROMEOS)
 
-#if defined(OS_ANDROID) && defined(USE_SECCOMP_BPF)
-void ChromeContentUtilityClient::OnDetectSeccompSupport() {
-  bool supports_prctl = sandbox::SandboxBPF::SupportsSeccompSandbox(
-      sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED);
-  Send(new ChromeUtilityHostMsg_DetectSeccompSupport_ResultPrctl(
-      supports_prctl));
-
-  // Probing for the seccomp syscall can provoke kernel panics in certain LGE
-  // devices. For now, this data will not be collected. In the future, this
-  // should detect SeccompLevel::MULTI_THREADED. http://crbug.com/478478
-
-  ReleaseProcessIfNeeded();
-}
-#endif  // defined(OS_ANDROID) && defined(USE_SECCOMP_BPF)
-
 #if defined(OS_CHROMEOS)
 void ChromeContentUtilityClient::OnRobustJPEGDecodeImage(
     const std::vector<unsigned char>& encoded_data,
diff --git a/chrome/utility/chrome_content_utility_client.h b/chrome/utility/chrome_content_utility_client.h
index b442d14..1205c7b 100644
--- a/chrome/utility/chrome_content_utility_client.h
+++ b/chrome/utility/chrome_content_utility_client.h
@@ -58,10 +58,6 @@ class ChromeContentUtilityClient : public content::ContentUtilityClient {
                        const base::FileDescriptor& dest_fd);
 #endif  // defined(OS_CHROMEOS)
 
-#if defined(OS_ANDROID) && defined(USE_SECCOMP_BPF)
-  void OnDetectSeccompSupport();
-#endif
-
   void OnPatchFileBsdiff(const base::FilePath& input_file,
                          const base::FilePath& patch_file,
                          const base::FilePath& output_file);