Default to sandboxed zygote in SandboxedProcessLauncherDelegate.

Now that all processes which can launch from the zygote are doing so,
we should ensure future launchers are safe by default and that
exceptions are intentional.

Additionally adds file://sandbox/OWNERS for relevant files.

Fixed: 22703
Test: All existing tests pass.
Change-Id: I188f4314fbf5cf4659bf555b14b572f657a8720c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2067541
Auto-Submit: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#744049}

content/public/common/OWNERS

@@ -12,3 +12,5 @@ per-file *.typemap=set noparent
 per-file *.typemap=file://ipc/SECURITY_OWNERS
 per-file *_type_converter*.*=set noparent
 per-file *_type_converter*.*=file://ipc/SECURITY_OWNERS
+per-file sandbox*=set noparent
+per-file sandbox*=file://sandbox/OWNERS

content/public/common/sandboxed_process_launcher_delegate.cc

@@ -34,7 +34,9 @@ bool SandboxedProcessLauncherDelegate::ShouldLaunchElevated() {
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
 service_manager::ZygoteHandle SandboxedProcessLauncherDelegate::GetZygote() {
-  return nullptr;
+  // Default to the sandboxed zygote. If a more lax sandbox is needed, then the
+  // child class should override this method and use the unsandboxed zygote.
+  return service_manager::GetGenericZygote();
 }
 #endif  // BUILDFLAG(USE_ZYGOTE_HANDLE)
 

content/public/common/sandboxed_process_launcher_delegate.h

@@ -43,8 +43,6 @@ class CONTENT_EXPORT SandboxedProcessLauncherDelegate
 
 #if BUILDFLAG(USE_ZYGOTE_HANDLE)
   // Returns the zygote used to launch the process.
-  // NOTE: For now Chrome always uses the same zygote for performance reasons.
-  // http://crbug.com/569191
   virtual service_manager::ZygoteHandle GetZygote();
 #endif  // BUILDFLAG(USE_ZYGOTE_HANDLE)