[fuchsia] Launch each sub-process in a separate job.

Isolate web_engine child processes (e.g. Renderers) to each run in a
separate job, to provide stronger isolation (e.g. they cannot discover
one another via PID).

Bug: 1053543
Change-Id: I45457f2fb034fd0c050cf12e11ab068618e8e37c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2161038
Commit-Queue: Wez <wez@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Auto-Submit: Wez <wez@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#761988}

fuchsia/engine/context_provider_impl.cc

@@ -30,7 +30,6 @@
 #include "base/files/file_util.h"
 #include "base/files/scoped_file.h"
 #include "base/fuchsia/default_context.h"
-#include "base/fuchsia/default_job.h"
 #include "base/fuchsia/fuchsia_logging.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
@@ -316,6 +315,9 @@ void ContextProviderImpl::Create(
   sandbox_policy.SetServiceDirectory(std::move(service_directory));
   sandbox_policy.UpdateLaunchOptionsForSandbox(&launch_options);
 
+  // SandboxPolicyFuchsia should isolate each Context in its own job.
+  DCHECK_NE(launch_options.job_handle, ZX_HANDLE_INVALID);
+
   // Transfer the ContextRequest handle to a well-known location in the child
   // process' handle table.
   launch_options.handles_to_transfer.push_back(
@@ -342,17 +344,6 @@ void ContextProviderImpl::Create(
         base::PathToTransfer{data_path, data_directory_channel.release()});
   }
 
-  // Isolate the child Context processes by containing them within their own
-  // respective jobs.
-  zx::job job;
-  zx_status_t status = zx::job::create(*base::GetDefaultJob(), 0, &job);
-  if (status != ZX_OK) {
-    ZX_LOG(ERROR, status) << "zx_job_create";
-    context_request.Close(ZX_ERR_INTERNAL);
-    return;
-  }
-  launch_options.job_handle = job.get();
-
   base::CommandLine launch_command = *base::CommandLine::ForCurrentProcess();
   std::vector<zx::channel> devtools_listener_channels;
 

services/service_manager/sandbox/BUILD.gn

@@ -111,6 +111,12 @@ component("sandbox") {
       "fuchsia/sandbox_policy_fuchsia.h",
     ]
 
+    public_deps += [
+      "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.io",
+      "//third_party/fuchsia-sdk/sdk/pkg/fidl",
+      "//third_party/fuchsia-sdk/sdk/pkg/zx",
+    ]
+
     deps += [
       "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.fonts",
       "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.intl",

services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc

@@ -27,7 +27,9 @@
 #include "base/containers/span.h"
 #include "base/files/file_util.h"
 #include "base/fuchsia/default_context.h"
+#include "base/fuchsia/default_job.h"
 #include "base/fuchsia/filtered_service_directory.h"
+#include "base/fuchsia/fuchsia_logging.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
 #include "base/process/process.h"
@@ -241,6 +243,11 @@ void SandboxPolicyFuchsia::UpdateLaunchOptionsForSandbox(
         base::FilePath("/svc"),
         service_directory_client_.TakeChannel().release()});
   }
+
+  // Isolate the child process from the call by launching it in its own job.
+  zx_status_t status = zx::job::create(*base::GetDefaultJob(), 0, &job_);
+  ZX_CHECK(status == ZX_OK, status) << "zx_job_create";
+  options->job_handle = job_.get();
 }
 
 }  // namespace service_manager

services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.h

@@ -7,6 +7,7 @@
 
 #include <fuchsia/io/cpp/fidl.h>
 #include <lib/fidl/cpp/interface_handle.h>
+#include <lib/zx/job.h>
 
 #include "base/memory/ref_counted.h"
 #include "services/service_manager/sandbox/export.h"
@@ -53,6 +54,9 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxPolicyFuchsia {
   fidl::InterfaceHandle<::fuchsia::io::Directory> service_directory_client_;
   scoped_refptr<base::SequencedTaskRunner> service_directory_task_runner_;
 
+  // Job in which the child process is launched.
+  zx::job job_;
+
   DISALLOW_COPY_AND_ASSIGN(SandboxPolicyFuchsia);
 };