Create a field trial for Seccomp-BPF on Android.

BUG=477049

Review URL: https://codereview.chromium.org/1419083012

Cr-Commit-Position: refs/heads/master@{#361136}

chrome/browser/about_flags.cc

@@ -45,6 +45,7 @@
 #include "components/tracing/tracing_switches.h"
 #include "components/version_info/version_info.h"
 #include "content/public/browser/user_metrics.h"
+#include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
 #include "grit/components_strings.h"
 #include "media/base/media_switches.h"
@@ -1721,11 +1722,11 @@ const FeatureEntry kFeatureEntries[] = {
      SINGLE_VALUE_TYPE(chromeos::switches::kDisableCaptivePortalBypassProxy)},
 #endif  // defined(OS_CHROMEOS)
 #if defined(OS_ANDROID)
-    {"enable-seccomp-filter-sandbox",
+    {"enable-seccomp-sandbox-android",
      IDS_FLAGS_ENABLE_SECCOMP_FILTER_SANDBOX_ANDROID_NAME,
      IDS_FLAGS_ENABLE_SECCOMP_FILTER_SANDBOX_ANDROID_DESCRIPTION,
      kOsAndroid,
-     SINGLE_VALUE_TYPE(switches::kEnableSeccompFilterSandbox)},
+     FEATURE_VALUE_TYPE(content::kSeccompSandboxAndroidFeature)},
 #endif
     {"enable-touch-hover",
      IDS_FLAGS_ENABLE_TOUCH_HOVER_NAME,

content/browser/renderer_host/render_process_host_impl.cc

@@ -1363,7 +1363,6 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
     switches::kEnablePushMessagePayload,
     switches::kEnableRGBA4444Textures,
     switches::kEnableRendererMojoChannel,
-    switches::kEnableSeccompFilterSandbox,
     switches::kEnableSkiaBenchmarking,
     switches::kEnableSlimmingPaintV2,
     switches::kEnableSmoothScrolling,

content/content_common.gypi

@@ -56,6 +56,8 @@
       'public/common/content_constants.cc',
       'public/common/content_constants.h',
       'public/common/content_descriptors.h',
+      'public/common/content_features.cc',
+      'public/common/content_features.h',
       'public/common/content_ipc_logging.h',
       'public/common/content_paths.h',
       'public/common/content_switches.cc',

content/public/common/content_features.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/public/common/content_features.h"
+
+namespace content {
+
+#if defined(OS_ANDROID)
+const base::Feature kSeccompSandboxAndroidFeature = {
+  "SeccompSandboxAndroid", base::FEATURE_DISABLED_BY_DEFAULT
+};
+#endif
+
+}  // namespace content

content/public/common/content_features.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// This file defines all the public base::FeatureList features for the content
+// module.
+
+#ifndef CONTENT_PUBLIC_COMMON_CONTENT_FEATURES_H_
+#define CONTENT_PUBLIC_COMMON_CONTENT_FEATURES_H_
+
+#include "build/build_config.h"
+#include "base/feature_list.h"
+#include "content/common/content_export.h"
+
+namespace content {
+
+#if defined(OS_ANDROID)
+// FeatureList definition for the Seccomp field trial.
+CONTENT_EXPORT extern const base::Feature kSeccompSandboxAndroidFeature;
+#endif  // defined(OS_ANDROID)
+
+// DON'T ADD RANDOM STUFF HERE. Put it in the main section above in
+// alphabetical order, or in one of the ifdefs (also in order in each section).
+
+}  // namespace content
+
+#endif  // CONTENT_PUBLIC_COMMON_CONTENT_FEATURES_H_

content/public/common/content_switches.cc

@@ -426,11 +426,6 @@ const char kV8SnapshotPassedByFD[] = "v8-snapshot-passed-by-fd";
 // is denied by the sandbox.
 const char kEnableSandboxLogging[]          = "enable-sandbox-logging";
 
-// Enables seccomp-bpf support for Android. Requires experimental kernel
-// support. <http://crbug.com/166704>
-const char kEnableSeccompFilterSandbox[] =
-    "enable-seccomp-filter-sandbox";
-
 // Enables the Skia benchmarking extension
 const char kEnableSkiaBenchmarking[]        = "enable-skia-benchmarking";
 

content/public/common/content_switches.h

@@ -127,7 +127,6 @@ CONTENT_EXPORT extern const char kEnablePreciseMemoryInfo[];
 CONTENT_EXPORT extern const char kEnablePushMessagePayload[];
 CONTENT_EXPORT extern const char kEnableRGBA4444Textures[];
 CONTENT_EXPORT extern const char kEnableSandboxLogging[];
-CONTENT_EXPORT extern const char kEnableSeccompFilterSandbox[];
 extern const char kEnableSkiaBenchmarking[];
 CONTENT_EXPORT extern const char kEnableSlimmingPaintV2[];
 CONTENT_EXPORT extern const char kEnableSmoothScrolling[];

content/renderer/renderer_main_platform_delegate_android.cc

@@ -4,17 +4,50 @@
 
 #include "content/renderer/renderer_main_platform_delegate.h"
 
-#include "base/command_line.h"
+#include "base/android/build_info.h"
+#include "base/feature_list.h"
 #include "base/logging.h"
-#include "content/public/common/content_switches.h"
 
 #ifdef USE_SECCOMP_BPF
 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
+#include "content/public/common/content_features.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #endif
 
 namespace content {
 
+namespace {
+
+#ifdef USE_SECCOMP_BPF
+// Determines if the running device should support Seccomp, based on the Android
+// SDK version.
+bool IsSeccompBPFSupportedBySDK() {
+  const auto info = base::android::BuildInfo::GetInstance();
+  if (info->sdk_int() < 22) {
+    // Seccomp was never available pre-Lollipop.
+    return false;
+  } else if (info->sdk_int() == 22) {
+    // On Lollipop-MR1, only select Nexus devices have Seccomp available.
+    const char* const kDevices[] = {
+        "deb",   "flo",   "hammerhead", "mako",
+        "manta", "shamu", "sprout",     "volantis",
+    };
+
+    for (const auto& device : kDevices) {
+      if (strcmp(device, info->device()) == 0) {
+        return true;
+      }
+    }
+  } else {
+    // On Marshmallow and higher, Seccomp is required by CTS.
+    return true;
+  }
+  return false;
+}
+#endif  // USE_SECCOMP_BPF
+
+}  // namespace
+
 RendererMainPlatformDelegate::RendererMainPlatformDelegate(
     const MainFunctionParams& parameters)
     : parameters_(parameters) {
@@ -31,20 +64,24 @@ void RendererMainPlatformDelegate::PlatformUninitialize() {
 
 bool RendererMainPlatformDelegate::EnableSandbox() {
 #ifdef USE_SECCOMP_BPF
-  if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kEnableSeccompFilterSandbox)) {
+  // Determine if Seccomp is available via the Android SDK version.
+  if (!IsSeccompBPFSupportedBySDK())
     return true;
-  }
+
+  // Do run-time detection to ensure that support is present.
   if (!sandbox::SandboxBPF::SupportsSeccompSandbox(
           sandbox::SandboxBPF::SeccompLevel::MULTI_THREADED)) {
-    LOG(WARNING) << "Seccomp-BPF sandbox enabled without kernel support. "
-                 << "Ignoring flag and proceeding without seccomp sandbox.";
+    LOG(WARNING) << "Seccomp support should be present, but detection "
+        << "failed. Continuing without Seccomp-BPF.";
     return true;
   }
 
-  sandbox::SandboxBPF sandbox(new SandboxBPFBasePolicyAndroid());
-  CHECK(
-      sandbox.StartSandbox(sandbox::SandboxBPF::SeccompLevel::MULTI_THREADED));
+  // Seccomp has been detected, check if the field trial experiment should run.
+  if (base::FeatureList::IsEnabled(kSeccompSandboxAndroidFeature)) {
+    sandbox::SandboxBPF sandbox(new SandboxBPFBasePolicyAndroid());
+    CHECK(sandbox.StartSandbox(
+        sandbox::SandboxBPF::SeccompLevel::MULTI_THREADED));
+  }
 #endif
   return true;
 }