Removed enable-appcontainer flag and replace command line with feature.

This CL removes the old renderer appcontainer flag from about:flags.
It also removes the old command line switch to enable or disable, instead
replacing it with a feature. This feature is disabled by default but the
expectation is to enable by default in the next milestone.

Bug: 501975
Change-Id: If9b7425624d60243e998958d31e53d5607a3424e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1761471Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#688552}

chrome/browser/about_flags.cc

@@ -2219,11 +2219,6 @@ const FeatureEntry kFeatureEntries[] = {
      MULTI_VALUE_TYPE(kCrosRegionsModeChoices)},
 #endif  // OS_CHROMEOS
 #if defined(OS_WIN)
-    {"enable-appcontainer", flag_descriptions::kEnableAppcontainerName,
-     flag_descriptions::kEnableAppcontainerDescription, kOsWin,
-     ENABLE_DISABLE_VALUE_TYPE(
-         service_manager::switches::kEnableAppContainer,
-         service_manager::switches::kDisableAppContainer)},
     {"enable-aura-tooltips-on-windows",
      flag_descriptions::kEnableAuraTooltipsOnWindowsName,
      flag_descriptions::kEnableAuraTooltipsOnWindowsDescription, kOsWin,

chrome/browser/flag_descriptions.cc

@@ -2895,11 +2895,6 @@ const char kDisablePostscriptPrintingDescription[] =
     "Disables PostScript generation when printing to PostScript capable "
     "printers, and uses EMF generation in its place.";
 
-const char kEnableAppcontainerName[] = "Enable AppContainer Lockdown.";
-const char kEnableAppcontainerDescription[] =
-    "Enables the use of an AppContainer on sandboxed processes to improve "
-    "security.";
-
 const char kEnableAuraTooltipsOnWindowsName[] =
     "Enable aura tooltips on Windows";
 const char kEnableAuraTooltipsOnWindowsDescription[] =

chrome/browser/flag_descriptions.h

@@ -1706,9 +1706,6 @@ extern const char kD3D11VideoDecoderDescription[];
 extern const char kDisablePostscriptPrinting[];
 extern const char kDisablePostscriptPrintingDescription[];
 
-extern const char kEnableAppcontainerName[];
-extern const char kEnableAppcontainerDescription[];
-
 extern const char kEnableAuraTooltipsOnWindowsName[];
 extern const char kEnableAuraTooltipsOnWindowsDescription[];
 

content/public/common/content_switches.h

@@ -185,8 +185,6 @@ CONTENT_EXPORT extern const char kMojoLocalStorage[];
 CONTENT_EXPORT extern const char kNetworkQuietTimeout[];
 CONTENT_EXPORT extern const char kNoZygote[];
 extern const char kNoV8UntrustedCodeMitigations[];
-CONTENT_EXPORT extern const char kEnableAppContainer[];
-CONTENT_EXPORT extern const char kDisableAppContainer[];
 CONTENT_EXPORT extern const char kNumRasterThreads[];
 CONTENT_EXPORT extern const char kOverridePluginPowerSaverForTesting[];
 CONTENT_EXPORT extern const char kPassiveListenersDefault[];

services/service_manager/sandbox/switches.cc

@@ -47,9 +47,6 @@ const char kAllowNoSandboxJob[] = "allow-no-sandbox-job";
 // Allows debugging of sandboxed processes (see zygote_main_linux.cc).
 const char kAllowSandboxDebugging[] = "allow-sandbox-debugging";
 
-// Disable appcontainer/lowbox for renderer on Win8+ platforms.
-const char kDisableAppContainer[] = "disable-appcontainer";
-
 // Disables the GPU process sandbox.
 const char kDisableGpuSandbox[] = "disable-gpu-sandbox";
 
@@ -65,9 +62,6 @@ const char kDisableSetuidSandbox[] = "disable-setuid-sandbox";
 // Disables the Win32K process mitigation policy for child processes.
 const char kDisableWin32kLockDown[] = "disable-win32k-lockdown";
 
-// Ensable appcontainer/lowbox for renderer on Win8+ platforms.
-const char kEnableAppContainer[] = "enable-appcontainer";
-
 // Allows shmat() system call in the GPU sandbox.
 const char kGpuSandboxAllowSysVShm[] = "gpu-sandbox-allow-sysv-shm";
 

services/service_manager/sandbox/switches.h

@@ -36,13 +36,11 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kImeSandbox[];
 // Flags owned by the service manager sandbox.
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowNoSandboxJob[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowSandboxDebugging[];
-SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableAppContainer[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableGpuSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableNamespaceSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableSeccompFilterSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableSetuidSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableWin32kLockDown[];
-SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableAppContainer[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxAllowSysVShm[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxFailuresFatal[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kNoSandbox[];

services/service_manager/sandbox/win/sandbox_win.cc

@@ -553,16 +553,9 @@ BOOL WINAPI DuplicateHandlePatch(HANDLE source_process_handle,
 bool IsAppContainerEnabled() {
   if (base::win::GetVersion() < base::win::Version::WIN8)
     return false;
-  const base::CommandLine& command_line =
-      *base::CommandLine::ForCurrentProcess();
-  const std::string appcontainer_group_name =
-      base::FieldTrialList::FindFullName("EnableAppContainer");
-  if (command_line.HasSwitch(service_manager::switches::kDisableAppContainer))
-    return false;
-  if (command_line.HasSwitch(service_manager::switches::kEnableAppContainer))
-    return true;
-  return base::StartsWith(appcontainer_group_name, "Enabled",
-                          base::CompareCase::INSENSITIVE_ASCII);
+
+  return base::FeatureList::IsEnabled(
+      {"RendererAppContainer", base::FEATURE_DISABLED_BY_DEFAULT});
 }
 
 sandbox::ResultCode SetJobMemoryLimit(const base::CommandLine& cmd_line,