Require CHROME_DEVEL_SANDBOX to be built with a non-component config

Also:
* Remove an out-of-date comment.
* Add binutils to install-build-deps.sh for readelf and grep.  We already use
  binutils in many places, and it's likely already installed everywhere, but
  it's good to list out direct dependencies.

BUG=850682
R=thakis

Change-Id: I80830ad42fe37f1b93f393f5a6ca5af68ef92998
Reviewed-on: https://chromium-review.googlesource.com/1157436Reviewed-by: Nico Weber <thakis@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579853}

build/config/gcc/BUILD.gn

@@ -51,14 +51,6 @@ config("symbol_visibility_default") {
 # step will put the directory where the build generates shared libraries into
 # the rpath.
 #
-# It's important that this *not* be used for release builds we push out.
-# Chrome uses some setuid binaries, and hard links preserve setuid bits. An
-# unprivileged user could gain root privileges by hardlinking a setuid
-# executable and then adding in whatever binaries they want to run into the lib
-# directory.
-#
-# Example bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520126
-#
 # This is required for component builds since the build generates many shared
 # libraries in the build directory that we expect to be automatically loaded.
 # It will be automatically applied in this case by :executable_ldconfig.

build/install-build-deps.sh

@@ -118,6 +118,7 @@ fi
 
 # Packages needed for development
 dev_list="\
+  binutils
   bison
   bzip2
   cdbs

build/update-linux-sandbox.sh

@@ -45,6 +45,11 @@ if [ ! -f "${CHROME_SANDBOX_BUILD_PATH}" ]; then
   exit 1
 fi
 
+if readelf -d "${CHROME_SANDBOX_BUILD_PATH}" | grep "(RPATH)" &>/dev/null; then
+  echo "Build requires is_component_build=false in ${CHROME_OUT_DIR}/args.gn."
+  exit 1
+fi
+
 if [ ! -f "${CHROME_SANDBOX_INST_PATH}" ]; then
   echo -n "Could not find ${CHROME_SANDBOX_INST_PATH}, "
   echo "installing it now."