[fuchsia] Add //fuchsia/SECURITY_OWNERS and per-file OWNERS using it.

Add a set of owners for Fuchsia-specific security reviews, which will
apply to CLs which have:
- Changes to Chromium-defined FIDL APIs.
- Changes to component sandbox specifications.
- Changes to critical integration code, e.g. the sandbox policy.

The new //fuchsia/SECURITY_OWNERS file is applied to specific files in
//base, //fuchsia and //services, that are critical to the security of
WebEngine and other Chromium packages published for use on Fuchsia.

Bug: 1053551
Change-Id: I809cc07843ff06167b596f3fea21307e599803bf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128079Reviewed-by: David Dorwin <ddorwin@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Wez <wez@chromium.org>
Auto-Submit: Wez <wez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#758932}

base/process/OWNERS

+# LaunchProcess() is part of the Fuchsia sandbox.
+per-file launch_fuchsia.*=set noparent
+per-file launch_fuchsia.*=file://fuchsia/SECURITY_OWNERS

build/OWNERS.setnoparent

@@ -10,6 +10,7 @@ file://third_party/OWNERS
 # Security reviews
 file://chromeos/SECURITY_OWNERS
 file://content/browser/SITE_ISOLATION_OWNERS
+file://fuchsia/SECURITY_OWNERS
 file://ipc/SECURITY_OWNERS
 file://net/base/SECURITY_OWNERS
 file://sandbox/linux/OWNERS

fuchsia/OWNERS

 file://build/fuchsia/OWNERS
 
+per-file SECURITY_OWNERS=set noparent
+per-file SECURITY_OWNERS=file://fuchsia/SECURITY_OWNERS
+
 # COMPONENT: Fuchsia
 # OS: Fuchsia
 # TEAM: cr-fuchsia@chromium.org

fuchsia/SECURITY_OWNERS

+# Changes to integration with the Fuchsia platform, or peer components, require
+# security review to avoid introducing sandbox escapes. These include:
+# - Critical platform integrations (e.g. shared memory, process launching).
+# - Changes to Chromium-defined Fuchsia IPC (aka FIDL) protocols.
+# - Addition of new FIDL services to child process sandboxes.
+# - Addition of new FIDL clients and implementations.
+#
+# Security team: If you are uncomfortable reviewing a particular bit of code
+# yourself, don't hesitate to seek help from another security team member!
+# Nobody knows everything, and the only way to learn is from experience.
+
+# Please keep reviewers ordered alphabetically by LDAP.
+ajgo@chromium.org
+rsesek@chromium.org
+tsepez@chromium.org
+wez@chromium.org

fuchsia/engine/OWNERS

@@ -3,6 +3,10 @@ per-file *.mojom=file://ipc/SECURITY_OWNERS
 per-file *_type_converter*.*=set noparent
 per-file *_type_converter*.*=file://ipc/SECURITY_OWNERS
 
-# For security review.
+# For Mojo/IPC security review.
 per-file web_engine_browser_interface_binders.*=set noparent
 per-file web_engine_browser_interface_binders.*=file://ipc/SECURITY_OWNERS
+
+# For sandbox security review.
+per-file context_provider_impl.*=set noparent
+per-file context_provider_impl.*=file://fuchsia/SECURITY_OWNERS

services/service_manager/sandbox/fuchsia/OWNERS

-file://build/fuchsia/OWNERS
+file://fuchsia/SECURITY_OWNERS