-
Notifications
You must be signed in to change notification settings - Fork 6.6k
/
sandbox.mojom
158 lines (128 loc) · 5.53 KB
/
sandbox.mojom
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module sandbox.mojom;
// Sandbox type that can be specified as an attribute of mojo interfaces.
// To specify the sandbox a service should be launched in, use the
// [ServiceSandbox=type] attribute.
// If your service does not need access to OS resources it should be
// possible to host it in |kService|. These values are mapped to
// //sandbox/policy/sandbox_type.h values.
enum Sandbox {
// |kService| hosts 'computation only' services such as decoders that
// use limited operating system services. Prefer to use this sandbox
// if possible.
kService,
// |kServiceWithJit| hosts computation only services that make use of
// dynamic code (e.g. v8 or wasm) but do not need access to OS resources.
// Prefer |kService| if possible.
kServiceWithJit,
// Hosts generic utilities with limited access to system services.
// On some platforms, may be slightly less locked down than |kService|.
// For instance, it allows dynamic code and wider access to APIs on Windows.
kUtility,
// The audio service process. May be disabled by policy.
kAudio,
// Hosts the content decryption module. Allows pre-loading of CDM libraries.
// - On Windows, when `CdmServiceBroker` is connected the CDM was not
// sandboxed to allow CDM preloading.
// - On Mac, the process is fully sandboxed when launched.
// - On Linux/ChromeOS, the CDM is preloaded in the zygote sandbox.
kCdm,
// The network service. May be disabled by policy.
kNetwork,
// Runs with the same rights as the browser. Usually needed to improve
// stability by hosting code that interacts with third party code in another
// process.
kNoSandbox,
// Hosts the GPU service and can talk to GPU drivers and other OS APIs which
// may not be expecting untrusted input.
kGpu,
// Composits PDF and XPS documents.
kPrintCompositor,
// Hosts untrustworthy web content. Blocks as much OS access as possible.
// Unless disabled by policy, allows dynamic code (for wasm/v8). Services
// should prefer to use kService or kUtility.
kRenderer,
// Like kUtility but allows loading of speech recognition libraries.
kSpeechRecognition,
// Like kUtility but allows loading of screen AI library.
[EnableIf=enable_screen_ai_service]
kScreenAI,
// The PPAPI plugin process.
[EnableIf=enable_ppapi]
kPpapi,
// Equivalent to no sandbox on all non-Fuchsia platforms.
// Minimally privileged sandbox on Fuchsia.
[EnableIf=is_fuchsia]
kVideoCapture,
// Allows access to file contents and Windows APIs for parsing icons from PE
// files.
[EnableIf=is_win]
kIconReader,
// Allows LPAC capabilities for the Windws Media Foundation CDM, including
// internet and private network access, COM, Identity & others. Allows access
// to files in the `mediaFoundationCdmFiles` Chromium lpac.
[EnableIf=is_win]
kMediaFoundationCdm,
// Launches elevated. Used by the RemovableStorageWriter.
[EnableIf=is_win]
kNoSandboxAndElevatedPrivileges,
// Like kUtility, but patches GDI during child startup in pdf_child_init.
[EnableIf=is_win]
kPdfConversion,
// Interfaces with operating system print drivers.
[EnableIf=enable_oop_printing]
kPrintBackend,
// |kXrCompositing| hosts XR Device Service on Windows.
[EnableIf=is_win]
kXrCompositing,
// Allows LPAC capabilities for WinHttp. This only needs internet access,
// policy access, and service access.
[EnableIf=is_win]
kWindowsSystemProxyResolver,
// Used to protect processes that perform hardware video decode acceleration.
// Currently uses the same policy as the GPU process sandbox. Warm-up does
// something different depending on the video acceleration API: for VA-API, we
// open the render node and load libva plus associated libraries (like i965 or
// iHD). For V4L2, we set up the broker process to allow opening certain V4L2
// devices and we load the libv4l2.so library.
//
// TODO(b/195769334): we're using the GPU process sandbox policy for now as a
// transition step. However, we should create a policy that's tighter just for
// hardware video decoding.
[EnableIf=is_linux_or_chromeos_ash]
kHardwareVideoDecoding,
// Used to protect processes that perform hardware video encode acceleration.
// Currently uses the same policy as the GPU process sandbox. Warm-up does
// something different depending on the video acceleration API: for VA-API, we
// open the render node and load libva plus associated libraries (like i965 or
// iHD). For V4L2, we set up the broker process to allow opening certain V4L2
// devices and we load the libv4l2.so library and encoder plugins.
//
// TODO(b/248528896): we're using the GPU process sandbox policy for now as a
// transition step. However, we should create a policy that's tighter just for
// hardware video encoding.
[EnableIf=is_linux_or_chromeos]
kHardwareVideoEncoding,
// Hosts Input Method Editors.
[EnableIf=is_chromeos_ash]
kIme,
// Text-to-speech.
[EnableIf=is_chromeos_ash]
kTts,
// Hosts the Libassistant service on ChromeOS Ash, only used for
// Chrome branded builds.
[EnableIf=enable_cros_libassistant]
kLibassistant,
// Like kUtility but allows access to IOSurface on macOS.
[EnableIf=is_mac]
kMirroring,
// The NaCl loader process.
[EnableIf=is_mac]
kNaClLoader,
// Used to prime zygotes before they specialize. The process will receive a
// new sandbox later in its lifetime.
[EnableIf=has_zygote]
kZygoteIntermediateSandbox,
};