components/exo/security_delegate.h - chromium/src - Git at Google

 // Copyright 2021 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef COMPONENTS_EXO_SECURITY_DELEGATE_H_
 #define COMPONENTS_EXO_SECURITY_DELEGATE_H_

 #include <memory>
 #include <string>

 namespace aura {
 class Window;
 }

 namespace exo {

 // Defines the set of actions/associations which are needed to implement a
 // per-product Exo server. Product here refrs to things like "Crostini", "ArcVM"
 // and "Lacross", and distinguishes from wayland's notion of a client. Each
 // product may have multiple clients associated with it.
 //
 // TODO(b/200896773): Flesh this class out once we're clear on what things
 // should be secure.
 class SecurityDelegate {
  public:
   // Get a SecurityDelegate instance with all of the defaults.
   static std::unique_ptr<SecurityDelegate> GetDefaultSecurityDelegate();

   virtual ~SecurityDelegate();

   // The path of the wayland server will be determined (partially) by its
   // security context. This process is documented in go/secure-exo-ids. All
   // sockets for the same security context will be placed in a single directory,
   // on ChromeOS that directory is "/run/wayland/<context>/". The intention is
   // that systems that need access to the wayland socket will mount their
   // security context's directory into their mount namespace, and not others'.
   //
   // The empty string refers to "no security context", only the default wayland
   // server may use it, and it is an error to spawn a non-default server without
   // a security context.
   virtual std::string GetSecurityContext() const = 0;

   // "Self-activation" is a security sensitive windowing operation that is a
   // common paradigm in X11. The need to self-activate is controlled
   // per-subsystem, i.e. a product like ARC++ knows that its windows should be
   // able to self activate, whereas Crostini knows they usually shouldn't.
   virtual bool CanSelfActivate(aura::Window* window) const;

   // Called when a client made pointer lock request, defined in
   // pointer-constraints-unstable-v1.xml extension protocol.  True if the client
   // can lock the location of the pointer and disable movement, or return false
   // to reject the pointer lock request.
   virtual bool CanLockPointer(aura::Window* window) const;
 };

 }  // namespace exo

 #endif  // COMPONENTS_EXO_SECURITY_DELEGATE_H_
	// Copyright 2021 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef COMPONENTS_EXO_SECURITY_DELEGATE_H_
	#define COMPONENTS_EXO_SECURITY_DELEGATE_H_

	#include <memory>
	#include <string>

	namespace aura {
	class Window;
	}

	namespace exo {

	// Defines the set of actions/associations which are needed to implement a
	// per-product Exo server. Product here refrs to things like "Crostini", "ArcVM"
	// and "Lacross", and distinguishes from wayland's notion of a client. Each
	// product may have multiple clients associated with it.
	//
	// TODO(b/200896773): Flesh this class out once we're clear on what things
	// should be secure.
	class SecurityDelegate {
	public:
	// Get a SecurityDelegate instance with all of the defaults.
	static std::unique_ptr<SecurityDelegate> GetDefaultSecurityDelegate();

	virtual ~SecurityDelegate();

	// The path of the wayland server will be determined (partially) by its
	// security context. This process is documented in go/secure-exo-ids. All
	// sockets for the same security context will be placed in a single directory,
	// on ChromeOS that directory is "/run/wayland/<context>/". The intention is
	// that systems that need access to the wayland socket will mount their
	// security context's directory into their mount namespace, and not others'.
	//
	// The empty string refers to "no security context", only the default wayland
	// server may use it, and it is an error to spawn a non-default server without
	// a security context.
	virtual std::string GetSecurityContext() const = 0;

	// "Self-activation" is a security sensitive windowing operation that is a
	// common paradigm in X11. The need to self-activate is controlled
	// per-subsystem, i.e. a product like ARC++ knows that its windows should be
	// able to self activate, whereas Crostini knows they usually shouldn't.
	virtual bool CanSelfActivate(aura::Window* window) const;

	// Called when a client made pointer lock request, defined in
	// pointer-constraints-unstable-v1.xml extension protocol. True if the client
	// can lock the location of the pointer and disable movement, or return false
	// to reject the pointer lock request.
	virtual bool CanLockPointer(aura::Window* window) const;
	};

	} // namespace exo

	#endif // COMPONENTS_EXO_SECURITY_DELEGATE_H_