Add 'FsNosymfollow' flag to VariationsService and chrome://flags

This flag allows for controlling whether user-supplied filesystems in
CrOS are mounted with the 'nosymfollow' option that will cause symlink
traversal to be blocked. Will be configurable through VariationsService
as well as chrome://flags.

This needs CL:1338199 to land and then a deps roll to happen before
this can land.

"sudo -u chronos dbus-send --system --type=method_call --print-reply \
--dest=org.chromium.ChromeFeaturesService \
/org/chromium/ChromeFeaturesService \
"org.chromium.ChromeFeaturesServiceInterface.IsFsNosymfollowEnabled"

Bug: 867807
Test: look at chrome://flags as well as:
Change-Id: Iffd13ebf95a2d1bb12541a8c910aa0bba18ef79f
Reviewed-on: https://chromium-review.googlesource.com/c/1338173Reviewed-by: Dan Erat <derat@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
Commit-Queue: Micah Morton <mortonm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609555}

chrome/browser/about_flags.cc

@@ -4376,7 +4376,9 @@ const FeatureEntry kFeatureEntries[] = {
     {"enable-shill-sandboxing", flag_descriptions::kShillSandboxingName,
      flag_descriptions::kShillSandboxingDescription, kOsCrOS,
      FEATURE_VALUE_TYPE(features::kShillSandboxing)},
-
+    {"enable-fs-nosymfollow", flag_descriptions::kFsNosymfollowName,
+     flag_descriptions::kFsNosymfollowDescription, kOsCrOS,
+     FEATURE_VALUE_TYPE(features::kFsNosymfollow)},
     {"enable-arc-unified-audio-focus",
      flag_descriptions::kEnableArcUnifiedAudioFocusName,
      flag_descriptions::kEnableArcUnifiedAudioFocusDescription, kOsCrOS,

chrome/browser/chromeos/dbus/chrome_features_service_provider.cc

@@ -49,6 +49,14 @@ void ChromeFeaturesServiceProvider::Start(
           weak_ptr_factory_.GetWeakPtr()),
       base::BindRepeating(&ChromeFeaturesServiceProvider::OnExported,
                           weak_ptr_factory_.GetWeakPtr()));
+  exported_object->ExportMethod(
+      kChromeFeaturesServiceInterface,
+      kChromeFeaturesServiceIsFsNosymfollowEnabledMethod,
+      base::BindRepeating(
+          &ChromeFeaturesServiceProvider::IsFsNosymfollowEnabled,
+          weak_ptr_factory_.GetWeakPtr()),
+      base::BindRepeating(&ChromeFeaturesServiceProvider::OnExported,
+                          weak_ptr_factory_.GetWeakPtr()));
 }
 
 void ChromeFeaturesServiceProvider::OnExported(
@@ -86,6 +94,7 @@ void ChromeFeaturesServiceProvider::IsCrostiniEnabled(
   response_sender.Run(std::move(response));
 }
 
+// TODO(mortonm): Combine these functions below when adding any more flags.
 void ChromeFeaturesServiceProvider::IsUsbguardEnabled(
     dbus::MethodCall* method_call,
     dbus::ExportedObject::ResponseSender response_sender) {
@@ -106,4 +115,14 @@ void ChromeFeaturesServiceProvider::IsShillSandboxingEnabled(
   response_sender.Run(std::move(response));
 }
 
+void ChromeFeaturesServiceProvider::IsFsNosymfollowEnabled(
+    dbus::MethodCall* method_call,
+    dbus::ExportedObject::ResponseSender response_sender) {
+  std::unique_ptr<dbus::Response> response =
+      dbus::Response::FromMethodCall(method_call);
+  dbus::MessageWriter writer(response.get());
+  writer.AppendBool(base::FeatureList::IsEnabled(features::kFsNosymfollow));
+  response_sender.Run(std::move(response));
+}
+
 }  // namespace chromeos

chrome/browser/chromeos/dbus/chrome_features_service_provider.h

@@ -51,6 +51,9 @@ class ChromeFeaturesServiceProvider
   void IsShillSandboxingEnabled(
       dbus::MethodCall* method_call,
       dbus::ExportedObject::ResponseSender response_sender);
+  void IsFsNosymfollowEnabled(
+      dbus::MethodCall* method_call,
+      dbus::ExportedObject::ResponseSender response_sender);
 
   // Keep this last so that all weak pointers will be invalidated at the
   // beginning of destruction.

chrome/browser/flag-metadata.json

@@ -1167,6 +1167,11 @@
     // "owners": [ "your-team" ],
     "expiry_milestone": 76
   },
+  {
+    "name": "enable-fs-nosymfollow",
+    "owners": [ "mortonm@chromium.org" ],
+    "expiry_milestone": 76
+  },
   {
     "name": "enable-fullscreen-handwriting-virtual-keyboard",
     // "owners": [ "your-team" ],

chrome/browser/flag_descriptions.cc

@@ -3620,6 +3620,13 @@ const char kShillSandboxingName[] =
 const char kShillSandboxingDescription[] =
     "Causes shill to be run as user/group 'shill', instead of 'root'.";
 
+const char kFsNosymfollowName[] =
+    "Prevent symlink traversal on user-supplied filesystems.";
+const char kFsNosymfollowDescription[] =
+    "Causes user-supplied filesystems to be mounted with the 'nosymfollow'"
+    " option, so the chromuimos LSM denies symlink traversal on the"
+    " filesystem.";
+
 const char kUseMashName[] = "Out-of-process system UI (mash)";
 const char kUseMashDescription[] =
     "Runs the mojo UI service (mus) and the ash window manager and system UI "

chrome/browser/flag_descriptions.h

@@ -2178,6 +2178,9 @@ extern const char kUsbguardDescription[];
 extern const char kShillSandboxingName[];
 extern const char kShillSandboxingDescription[];
 
+extern const char kFsNosymfollowName[];
+extern const char kFsNosymfollowDescription[];
+
 extern const char kUseMashName[];
 extern const char kUseMashDescription[];
 

chrome/common/chrome_features.cc

@@ -660,6 +660,10 @@ const base::Feature kUsbguard{"USBGuard", base::FEATURE_DISABLED_BY_DEFAULT};
 // Enable running shill in a minijail sandbox on Chrome OS.
 const base::Feature kShillSandboxing{"ShillSandboxing",
                                      base::FEATURE_ENABLED_BY_DEFAULT};
+
+// Enable restriction of symlink traversal on user-supplied filesystems.
+const base::Feature kFsNosymfollow{"FsNosymfollow",
+                                   base::FEATURE_DISABLED_BY_DEFAULT};
 #endif  // defined(OS_CHROMEOS)
 
 // Enable showing a tab-modal dialog while a Web Authentication API request is

chrome/common/chrome_features.h

@@ -440,6 +440,8 @@ extern const base::Feature kMachineLearningService;
 COMPONENT_EXPORT(CHROME_FEATURES) extern const base::Feature kUsbguard;
 
 COMPONENT_EXPORT(CHROME_FEATURES) extern const base::Feature kShillSandboxing;
+
+COMPONENT_EXPORT(CHROME_FEATURES) extern const base::Feature kFsNosymfollow;
 #endif  // defined(OS_CHROMEOS)
 
 COMPONENT_EXPORT(CHROME_FEATURES)

tools/metrics/histograms/enums.xml

@@ -29689,6 +29689,7 @@ from previous Chrome versions.
   <int value="-1114080030" label="ResourceLoadingHints:enabled"/>
   <int value="-1112782121" label="AndroidSigninPromos:disabled"/>
   <int value="-1107762575" label="enable-data-reduction-proxy-config-client"/>
+  <int value="-1107103335" label="FsNosymfollow:enabled"/>
   <int value="-1102212525" label="enable-tcp-fastopen"/>
   <int value="-1099142083" label="V8Ignition:disabled"/>
   <int value="-1099135056" label="AsyncDns:enabled"/>
@@ -31204,6 +31205,7 @@ from previous Chrome versions.
   <int value="1731612996" label="CrostiniFiles:disabled"/>
   <int value="1733390925" label="force-enable-stylus-tools"/>
   <int value="1735934914" label="OverlayScrollbarFlashWhenMouseEnter:disabled"/>
+  <int value="1736698988" label="FsNosymfollow:disabled"/>
   <int value="1739456903" label="PWAFullCodeCache:enabled"/>
   <int value="1747279677" label="disable-delegated-renderer"/>
   <int value="1752168018" label="enable-stale-while-revalidate"/>