| // Copyright 2021 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| module sandbox.mojom; |
| |
| // Sandbox type that can be specified as an attribute of mojo interfaces. |
| // To specify the sandbox a service should be launched in, use the |
| // [ServiceSandbox=type] attribute. |
| // If your service does not need access to OS resources it should be |
| // possible to host it in |kService|. These values are mapped to |
| // //sandbox/policy/sandbox_type.h values. |
| enum Sandbox { |
| // |kService| hosts 'computation only' services such as decoders that |
| // use limited operating system services. Prefer to use this sandbox |
| // if possible. |
| kService, |
| |
| // |kServiceWithJit| hosts computation only services that make use of |
| // dynamic code (e.g. v8 or wasm) but do not need access to OS resources. |
| // Prefer |kService| if possible. |
| kServiceWithJit, |
| |
| // Hosts generic utilities with limited access to system services. |
| // On some platforms, may be slightly less locked down than |kService|. |
| // For instance, it allows dynamic code and wider access to APIs on Windows. |
| kUtility, |
| |
| // The audio service process. May be disabled by policy. |
| kAudio, |
| |
| // Hosts the content decryption module. Allows pre-loading of CDM libraries. |
| // - On Windows, when `CdmServiceBroker` is connected the CDM was not |
| // sandboxed to allow CDM preloading. |
| // - On Mac, the process is fully sandboxed when launched. |
| // - On Linux/ChromeOS, the CDM is preloaded in the zygote sandbox. |
| kCdm, |
| |
| // The network service. May be disabled by policy. |
| kNetwork, |
| |
| // The on-device model execution service. This sandbox is equivalent to the |
| // GPU process's sandbox, but can be used by service processes to host |
| // trustworthy models that may process untrustworthy inputs. |
| kOnDeviceModelExecution, |
| |
| // Runs with the same rights as the browser. Usually needed to improve |
| // stability by hosting code that interacts with third party code in another |
| // process. |
| kNoSandbox, |
| |
| // Hosts the GPU service and can talk to GPU drivers and other OS APIs which |
| // may not be expecting untrusted input. |
| kGpu, |
| |
| // Composits PDF and XPS documents. |
| kPrintCompositor, |
| |
| // Hosts untrustworthy web content. Blocks as much OS access as possible. |
| // Unless disabled by policy, allows dynamic code (for wasm/v8). Services |
| // should prefer to use kService or kUtility. |
| kRenderer, |
| |
| // Like kUtility but allows loading of speech recognition libraries. |
| kSpeechRecognition, |
| |
| // Like kService but allows loading of the optimization guide library. |
| [EnableIf=is_linux] kVideoEffects, |
| |
| // The PPAPI plugin process. (Unsandboxed on Windows.) |
| [EnableIf=enable_ppapi_sandbox] kPpapi, |
| |
| // Equivalent to no sandbox on all non-Fuchsia platforms. |
| // Minimally privileged sandbox on Fuchsia. |
| [EnableIf=is_fuchsia] kVideoCapture, |
| |
| // Allows access to file contents and Windows APIs for parsing icons from PE |
| // files. |
| [EnableIf=is_win] kIconReader, |
| |
| // Allows LPAC capabilities for the Windws Media Foundation CDM, including |
| // internet and private network access, COM, Identity & others. Allows access |
| // to files in the `mediaFoundationCdmFiles` Chromium lpac. |
| [EnableIf=is_win] kMediaFoundationCdm, |
| |
| // Launches elevated. Used by the RemovableStorageWriter. |
| [EnableIf=is_win] kNoSandboxAndElevatedPrivileges, |
| |
| // Like kUtility, but patches GDI during child startup in pdf_child_init. |
| [EnableIf=is_win] kPdfConversion, |
| |
| // Interfaces with operating system print drivers. |
| [EnableIf=is_chromeos|is_linux|is_mac|is_win] kPrintBackend, |
| |
| // Like kUtility but allows loading of screen AI library. |
| [EnableIf=is_chromeos|is_linux|is_mac|is_win] kScreenAI, |
| |
| // |kXrCompositing| hosts XR Device Service on Windows. |
| [EnableIf=is_win] kXrCompositing, |
| |
| // Allows LPAC capabilities for WinHttp. This only needs internet access, |
| // policy access, and service access. |
| [EnableIf=is_win] kWindowsSystemProxyResolver, |
| |
| // Used to protect processes that perform hardware video decode acceleration. |
| // Currently uses the same policy as the GPU process sandbox. Warm-up does |
| // something different depending on the video acceleration API: for VA-API, we |
| // open the render node and load libva plus associated libraries (like i965 or |
| // iHD). For V4L2, we set up the broker process to allow opening certain V4L2 |
| // devices and we load the libv4l2.so library. |
| // |
| // TODO(b/195769334): we're using the GPU process sandbox policy for now as a |
| // transition step. However, we should create a policy that's tighter just for |
| // hardware video decoding. |
| [EnableIf=is_chromeos_ash|is_linux] kHardwareVideoDecoding, |
| |
| // Used to protect processes that perform hardware video encode acceleration. |
| // Currently uses the same policy as the GPU process sandbox. Warm-up does |
| // something different depending on the video acceleration API: for VA-API, we |
| // open the render node and load libva plus associated libraries (like i965 or |
| // iHD). For V4L2, we set up the broker process to allow opening certain V4L2 |
| // devices and we load the libv4l2.so library and encoder plugins. |
| // |
| // TODO(b/248528896): we're using the GPU process sandbox policy for now as a |
| // transition step. However, we should create a policy that's tighter just for |
| // hardware video encoding. |
| [EnableIf=is_chromeos|is_linux] kHardwareVideoEncoding, |
| |
| // Hosts Input Method Editors. |
| [EnableIf=is_chromeos_ash] kIme, |
| |
| // Text-to-speech. |
| [EnableIf=is_chromeos_ash] kTts, |
| |
| // Hosts the Libassistant service on ChromeOS Ash, only used for |
| // Chrome branded builds. |
| [EnableIf=enable_cros_libassistant] kLibassistant, |
| |
| // Like kUtility but allows access to IOSurface on macOS. |
| [EnableIf=is_mac] kMirroring, |
| |
| // Used to prime zygotes before they specialize. The process will receive a |
| // new sandbox later in its lifetime. |
| [EnableIf=is_chromeos|is_linux] kZygoteIntermediateSandbox, |
| |
| // Hosts the shared Nearby library for both Nearby Connections and |
| // Nearby Presence. |
| [EnableIf=is_chromeos_ash] kNearby, |
| |
| // Hosts On Device Translation service. |
| // Currently the sandboxing of the On Device Translation service needs |
| // a dedicated sandbox type on macOS and Linux. |
| // On Windows the kService sandbox type is used. |
| // TODO(crbug.com/340778819): Implement sandboxing on other platforms. |
| [EnableIf=is_linux|is_mac] kOnDeviceTranslation, |
| }; |