Convert utility process ParseMediaMetadata IPC to mojo

chrome/utility/chrome_content_utility_client.cc

Index: chrome/utility/chrome_content_utility_client.cc
diff --git a/chrome/utility/chrome_content_utility_client.cc b/chrome/utility/chrome_content_utility_client.cc
index 2fea5c2f9ca90654d7990acc0bc056474a4c20e7..436ee9e50bb5161121d3d0878366361a67d6399b 100644
--- a/chrome/utility/chrome_content_utility_client.cc
+++ b/chrome/utility/chrome_content_utility_client.cc
@@ -115,7 +115,7 @@ std::unique_ptr<service_manager::Service> CreateImageDecoderService() {
 ChromeContentUtilityClient::ChromeContentUtilityClient()
     : filter_messages_(false) {
 #if BUILDFLAG(ENABLE_EXTENSIONS)
-  handlers_.push_back(new extensions::ExtensionsHandler(this));
+  handlers_.push_back(new extensions::ExtensionsHandler());
   handlers_.push_back(new image_writer::ImageWriterHandler());
 #endif
 
@@ -192,13 +192,17 @@ bool ChromeContentUtilityClient::OnMessageReceived(
 
 void ChromeContentUtilityClient::ExposeInterfacesToBrowser(
     service_manager::InterfaceRegistry* registry) {
-  // When the utility process is running with elevated privileges, we need to
-  // filter messages so that only a whitelist of IPCs can run. In Mojo, there's
-  // no way of filtering individual messages. Instead, we can avoid adding
-  // non-whitelisted Mojo services to the service_manager::InterfaceRegistry.
-  // TODO(amistry): Use a whitelist once the whistlisted IPCs have been
-  // converted to Mojo.
-  if (filter_messages_)
+  const bool running_elevated =
+      base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kUtilityProcessRunningElevated);
+#if BUILDFLAG(ENABLE_EXTENSIONS)
+  ChromeContentUtilityClient* utility_client = this;
+  extensions::ExtensionsHandler::ExposeInterfacesToBrowser(
+      registry, utility_client, running_elevated);
+#endif
+  // If our process runs with elevated privileges, only add elevated
+  // Mojo services to the interface registry.
+  if (running_elevated)

[dcheng, 2017/01/11 09:09:59]

Since this was changed, I wonder why we don't filter messages if
kMessageWhitelistSize == 0 and the process is elevated. Is this a bug? Or do we
assume that we never start up a elevated utility process that's filtering all
messages?

[Noel Gordon, 2017/01/12 14:11:20]

Great question.  Looks like a potential bug to me.  kMessageWhitelistSize == 0
and elevated looks to be possible by building chrome without the EXTENSIONS
build flag (that would make kMessageWhitelistSize = 0).  Dunno if we do that,
but an elevated utility process in that case would expose non-elevated IPC, and
(prior to my change) non-elevated mojos too.

[Noel Gordon, 2017/01/12 23:19:04]

https://cs.chromium.org/search/?q=ElevatePrivileges&sq=package:chromium tells me
that utility process elevation is only used on WIN, and that its two users are
in the EXTENSIONS system.  Each of them have IPC whitelist entries installed in
the utility process.  So no bug here: an elevated utility process always has a
whitelist to filter on.

[dcheng, 2017/01/13 09:21:04]

OK. I hope we can clean up the filter_messages_ thing once this is all Mojo.

     return;
 
 #if !defined(OS_ANDROID)