Enable Safe Browsing download protection on Fuchsia

This CL makes a couple changes to how file type policies are controlled
to support building Chrome for Fuchsia.
1. We disable the File Type Policies component updater, since we can't
get a Fuchsia-specific version of the component.
2. We ship a minimal file type policy with all file types marked as
safe.

This effectively disables download protection without disabling other
Safe Browsing functionality. If Fuchsia is ever in need of download
protection, we can fairly easily modify this approach to ship a
different file type policy in the future.

Bug: 1056278
Change-Id: I835fcb70ea1bed63193be830f53ed57a9ea2d3a7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3012281
Reviewed-by: Nathan Parker <nparker@chromium.org>
Reviewed-by: David Dorwin <ddorwin@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Reviewed-by: Bettina Dea <bdea@chromium.org>
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Cr-Commit-Position: refs/heads/master@{#900579}

chrome/browser/BUILD.gn

@@ -318,8 +318,6 @@ static_library("browser") {
     "component_updater/crl_set_component_installer.h",
     "component_updater/crowd_deny_component_installer.cc",
     "component_updater/crowd_deny_component_installer.h",
-    "component_updater/file_type_policies_component_installer.cc",
-    "component_updater/file_type_policies_component_installer.h",
     "component_updater/first_party_sets_component_installer.cc",
     "component_updater/first_party_sets_component_installer.h",
     "component_updater/floc_component_installer.cc",
@@ -6657,6 +6655,13 @@ static_library("browser") {
       "//components/safe_browsing/content/common/proto:download_file_types_proto",
     ]
   }
+
+  if (!is_fuchsia) {
+    sources += [
+      "component_updater/file_type_policies_component_installer.cc",
+      "component_updater/file_type_policies_component_installer.h",
+    ]
+  }
 }
 
 if (is_android) {

chrome/browser/component_updater/registration.cc

@@ -155,7 +155,13 @@ void RegisterComponentsForUpdate(bool is_off_the_record_profile,
 #endif  // defined(OS_ANDROID)
   }
   RegisterSSLErrorAssistantComponent(cus);
+
+  // Since file type policies are per-platform, and we don't support
+  // Fuchsia-specific component versions, we don't dynamically update file type
+  // policies on Fuchsia.
+#if !defined(OS_FUCHSIA)
   RegisterFileTypePoliciesComponent(cus);
+#endif
 
 #if !BUILDFLAG(IS_CHROMEOS_ASH)
   // CRLSetFetcher attempts to load a CRL set from either the local disk or

components/resources/BUILD.gn

@@ -52,8 +52,7 @@ grit("components_resources") {
     deps += [ "//components/resources/ssl/ssl_error_assistant:make_ssl_error_assistant_protobuf" ]
   }
 
-  # TODO(crbug/1056278): Enable this on Fuchsia
-  if (safe_browsing_mode > 0 && !is_fuchsia) {
+  if (safe_browsing_mode > 0) {
     deps += [
       "//components/safe_browsing/content/resources:make_file_types_protobuf",
     ]

components/safe_browsing/content/common/proto/BUILD.gn

@@ -5,8 +5,7 @@
 import("//components/safe_browsing/buildflags.gni")
 import("//third_party/protobuf/proto_library.gni")
 
-# TODO(crbug/1056278): Enable this on Fuchsia
-if (safe_browsing_mode != 0 && !is_fuchsia) {
+if (safe_browsing_mode != 0) {
   proto_library("download_file_types_proto") {
     sources = [ "download_file_types.proto" ]
   }

components/safe_browsing/content/resources/BUILD.gn

@@ -6,61 +6,74 @@ import("//build/config/chromeos/ui_mode.gni")
 
 # TODO(nparker): reduce the duplication between these two, somehow.
 
-# Generate the binary proto form of "file_types" from the ascii proto.
-action("make_file_types_protobuf") {
-  script = "gen_file_type_proto.py"
+if (!is_fuchsia) {
+  # Generate the binary proto form of "file_types" from the ascii proto.
+  action("make_file_types_protobuf") {
+    script = "gen_file_type_proto.py"
 
-  # The output goes in $target_gen_dir since that's where
-  # components/resources/safe_browsing_resources.grdp will look for it.
+    # The output goes in $target_gen_dir since that's where
+    # components/resources/safe_browsing_resources.grdp will look for it.
 
-  input_filename = "download_file_types.asciipb"
-  output_dir = target_gen_dir
-  output_basename = "download_file_types.pb"
-  python_path_root = "$root_out_dir/pyproto"
-  python_path_safe_browsing =
-      "$python_path_root/components/safe_browsing/content/common/proto"
+    input_filename = "download_file_types.asciipb"
+    output_dir = target_gen_dir
+    output_basename = "download_file_types.pb"
+    python_path_root = "$root_out_dir/pyproto"
+    python_path_safe_browsing =
+        "$python_path_root/components/safe_browsing/content/common/proto"
 
-  # Pick an architecture to generate for. These string match those
-  # in the python script.
-  if (is_android) {
-    target_arch = "android"
-  } else if (is_chromeos_ash) {
-    target_arch = "chromeos"
-  } else if (is_win) {
-    target_arch = "win"
-  } else if (is_mac) {
-    target_arch = "mac"
-  } else if (is_linux || is_chromeos) {
-    target_arch = "linux"
-  } else {
-    # This will cause the script to fail.
-    target_arch = "unknown_target_arch"
+    # Pick an architecture to generate for. These string match those
+    # in the python script.
+    if (is_android) {
+      target_arch = "android"
+    } else if (is_chromeos_ash) {
+      target_arch = "chromeos"
+    } else if (is_win) {
+      target_arch = "win"
+    } else if (is_mac) {
+      target_arch = "mac"
+    } else if (is_linux || is_chromeos) {
+      target_arch = "linux"
+    } else {
+      # This will cause the script to fail.
+      target_arch = "unknown_target_arch"
+    }
+
+    inputs = [ input_filename ]
+
+    deps = [
+      "//components/safe_browsing/content/common/proto:download_file_types_proto",
+      "//third_party/protobuf:py_proto",
+    ]
+
+    outputs = [ "$output_dir/$output_basename" ]
+
+    args = [
+      "-w",
+      "-t",
+      target_arch,
+      "-i",
+      rebase_path(input_filename, root_build_dir),
+      "-d",
+      rebase_path(output_dir, root_build_dir),
+      "-o",
+      output_basename,
+      "-p",
+      rebase_path(python_path_root, root_build_dir),
+      "-p",
+      rebase_path(python_path_safe_browsing, root_build_dir),
+    ]
   }
+} else {
+  # Since the component updater doesn't currently support Fuchsia-specific
+  # components, we don't want to create real file type policy for Fuchsia. So
+  # instead we ship a minimal policy with all file types marked as safe.
+  copy("make_file_types_protobuf") {
+    sources = [ "empty_file_type_policy.pb" ]
 
-  inputs = [ input_filename ]
-
-  deps = [
-    "//components/safe_browsing/content/common/proto:download_file_types_proto",
-    "//third_party/protobuf:py_proto",
-  ]
-
-  outputs = [ "$output_dir/$output_basename" ]
-
-  args = [
-    "-w",
-    "-t",
-    target_arch,
-    "-i",
-    rebase_path(input_filename, root_build_dir),
-    "-d",
-    rebase_path(output_dir, root_build_dir),
-    "-o",
-    output_basename,
-    "-p",
-    rebase_path(python_path_root, root_build_dir),
-    "-p",
-    rebase_path(python_path_safe_browsing, root_build_dir),
-  ]
+    output_dir = target_gen_dir
+    output_basename = "download_file_types.pb"
+    outputs = [ "$output_dir/$output_basename" ]
+  }
 }
 
 # Generate the binary proto for ALL platforms.  This is only run manually

components/safe_browsing/content/resources/empty_file_type_policy.textproto

@@ -0,0 +1,13 @@
+# Textproto version of empty_file_type_policy.pb for reference. The pb file
+# the authoritative version.
+
+version_id: 0
+default_file_type {
+
+  uma_value: 18
+  ping_setting: NO_PING
+  platform_settings {
+    danger_level: NOT_DANGEROUS
+    auto_open_hint: ALLOW_AUTO_OPEN
+  }
+}