blob: d07a5f6a4067e87aac16b451e96af7bf22009cf9 [file] [log] [blame]
<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node name="/org/chromium/SessionManager"
xmlns:doc="http://www.freedesktop.org/dbus/1.0/doc.dtd">
<!--
Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
Use of this source code is governed by a BSD-style license that can be
found in the LICENSE file.
-->
<!-- ********************************************************************* -->
<!--
org.chromium.SessionManagerInterface:
@short_description: User session manager.
Interface for user session manager. Also handles persisting and
retrieving device and per-user enterprise policy blobs and
brokering certain privileged operations on the browser's behalf.
-->
<interface name="org.chromium.SessionManagerInterface">
<!--
EmitLoginPromptVisible:
Emits the "login-prompt-visible" upstart signal and LoginPromptVisible
DBus signal on the browser's behalf.
-->
<method name="EmitLoginPromptVisible">
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
LoginPromptVisible:
Emitted when the browser indicates that the sign in screen is visible.
-->
<signal name="LoginPromptVisible" />
<!--
EnableChromeTesting:
@force_relaunch: Restart the browser no matter what.
@extra_arguments: Extra command line arguments to pass on restart.
@filepath: The named pipe to be used for testing communication.
Restarts the browser, leaving it open for testing automation.
Adds an argument to the chrome child job command line that causes it,
upon restart, to open a testing channel. Next, kills and restarts
chrome. The name of the pipe to be used for testing is returned in
@filepath.
If @force_relaunch is true, Chrome will be restarted with each
invocation. Otherwise, it will only be restarted if
automation is not yet enabled. @extra_arguments can
include any additional arguments that need to be passed to
Chrome on subsequent launches.
-->
<method name="EnableChromeTesting">
<arg type="b" name="force_relaunch" direction="in" />
<arg type="as" name="extra_arguments" direction="in" />
<arg type="s" name="filepath" direction="out" />
</method>
<!--
StartSession:
@account_id: Account ID of the user to start a session for.
@unique_identifier: Unused.
Updates bookkeeping to know about a session for @account_id. Also emits
"start-user-session" upstart signal (asynchronously) and
"SessionStateChanged:started" D-Bus signal.
-->
<method name="StartSession">
<arg type="s" name="account_id" direction="in" />
<arg type="s" name="unique_identifier" direction="in" />
</method>
<!--
StopSession:
@unique_identifier: Unused.
Terminates all active user sessions, announces this over upstart
("stop-user-session") and DBus (SessionStateChanges:stopped).
-->
<method name="StopSession">
<arg type="s" name="unique_identifier" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
SessionStateChanged:
@state: State the device has changed to.
Signal emitted to announce session state changes. Supported values for
@state include <quote>started</quote>, <quote>stopping</quote>, and
<quote>stopped</quote>.
-->
<signal name="SessionStateChanged">
<arg type="s" name="state" />
</signal>
<!--
StorePolicyEx:
@descriptor_blob: Serialized PolicyDescriptor protobuf containing
metadata about the policy (e.g. user policy, account id).
@policy_blob: Serialized PolicyFetchResponse protobuf which wraps the
actual policy data along with an SHA1-RSA signature over the policy
data. The policy data is opaque to Session Manager, the exact
definition is only relevant to client code in Chrome.
Verifies the signature in @policy_blob and persists the blob to disk.
Device policy is stored in a root-owned location outside of any user's
cryptohome. It is verified with the device-wide policy key.
User policy is stored in a root-owned location within the user's
cryptohome (for privacy reasons). The first attempt to store policy also
installs the signing key for user policy. This key is used later to
verify policy updates pushed by Chrome.
User policy for users without session is rejected by this method.
Policy for device local accounts is stored in the root-owned
/var/lib/device_local_accounts directory in the stateful partition.
Signatures are checked against the owner key, key rotation is not
allowed.
Extension policy is rejected by the implementation at this point since
it is stored by Chrome directly.
-->
<method name="StorePolicyEx">
<arg type="ay" name="descriptor_blob" direction="in" />
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
StoreUnsignedPolicyEx:
@descriptor_blob: Serialized PolicyDescriptor protobuf containing
metadata about the policy (user, device or extension policy).
@policy_blob: Serialized PolicyFetchResponse protobuf containing user,
device or extension policy, but no signature.
Similar to StorePolicyEx, but stores policy without signature
verification for AD managed devices. Locked down through busconfig to be
only callable by authpolicyd and exits with an error if install
attributes are not locked to enterprise_ad device mode.
-->
<method name="StoreUnsignedPolicyEx">
<arg type="ay" name="descriptor_blob" direction="in" />
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
RetrievePolicyEx:
@descriptor_blob: Serialized PolicyDescriptor protobuf containing
metadata about the policy (user vs device policy).
@policy_blob: Serialized PolicyFetchResponse protobuf containing the
requested user or device policy and a signature over that policy.
Retrieve policy stored by StorePolicy.
Can retrieve user policy for users without a user session. This is
useful if we need to access user policy before actually starting the
session. The user home must have been mounted as hidden user home with
cryptohome.
-->
<method name="RetrievePolicyEx">
<arg type="ay" name="descriptor_blob" direction="in" />
<arg type="ay" name="policy_blob" direction="out" />
</method>
<!--
StorePolicy:
@policy_blob: Serialized protobuf containing a device policy and a
signature over that policy.
Stores a device policy. This method will verify the sig in @policy_blob
and persist the blob to disk.
The signature is a SHA1 with RSA signature over the policy,
verifiable with the device-wide policy key.
-->
<method name="StorePolicy">
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
StoreUnsignedPolicy:
@policy_blob: Serialized protobuf containing device policy.
Stores device policy without signature verification for AD managed
devices. Locked down through busconfig to be only callable by
authpolicyd and exits with an error if install attributes are not locked
to enterprise_ad device mode.
-->
<method name="StoreUnsignedPolicy">
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
RetrievePolicy:
@policy_blob: Serialized protobuf containing a device policy and a
signature over that policy.
Retrieve device policy stored by StorePolicy.
-->
<method name="RetrievePolicy">
<arg type="ay" name="policy_blob" direction="out" />
</method>
<!--
StorePolicyForUser:
@account_id: Account ID of the user whose policy is to be stored.
@policy_blob: A serialized PolicyFetchResponse protobuf.
Similar to StorePolicy() above, but for user policy.
@policy_blob should contain a serialized PolicyFetchResponse protobuf
which wraps the actual policy data along with an SHA1-RSA signature
over the policy data. The policy data is opaque to session_manager,
the exact definition is only relevant to client code in Chrome.
Calling this function attempts to persist the policy blob for
a given user. Policy is stored in a root-owned location
within the user's cryptohome (for privacy reasons). The
first attempt to store policy also installs the signing
key for user policy. This key is used later to verify policy
updates pushed by Chrome.
-->
<method name="StorePolicyForUser">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
StoreUnsignedPolicyForUser:
@account_id: Account ID of the user whose policy is to be stored.
@policy_blob: A serialized PolicyFetchResponse protobuf.
Similar to StoreUnsignedPolicy() above, but for user policy.
Stores user policy without signature verification for AD managed
devices. Locked down through busconfig to be only callable by
authpolicyd and exits with an error if install attributes are not locked
to enterprise_ad device mode. The policy data is opaque to
session_manager, the exact definition is only relevant to client code in
Chrome.
Calling this function attempts to persist the policy blob for a given
user. Policy is stored in a root-owned location within the user's
cryptohome (for privacy reasons and to prevent tampering by other system
components).
-->
<method name="StoreUnsignedPolicyForUser">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
RetrievePolicyForUser:
@account_id: Account ID of the user whose policy the caller wants.
@policy_blob: Serialized protobuf containing a PolicyFetchResponse and a
signature over that policy.
Retrieves user policy for a given user.
-->
<method name="RetrievePolicyForUser">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="out" />
</method>
<!--
RetrievePolicyForUserWithoutSession:
@account_id: Account ID of the user whose policy the caller wants.
@policy_blob: Serialized protobuf containing a PolicyFetchResponse and a
signature over that policy.
Retrieves user policy for user without a user session. This is useful if
we need to access user policy before actually starting the session. The
user home must have been mounted as hidden user home with cryptohome.
-->
<method name="RetrievePolicyForUserWithoutSession">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="out" />
</method>
<!--
StoreDeviceLocalAccountPolicy:
@account_id: Account whose policy is to be stored.
@policy_blob: A serialized PolicyFetchResponse protobuf.
Similar to StorePolicyForUser() above, but for device-local
accounts. @policy_blob should contain a serialized
PolicyFetchResponse protobuf which wraps the actual policy
data along with an SHA1-RSA signature over the policy
data. The policy data is opaque to session manager, the exact
definition is only relevant to client code in Chrome.
Calling this function attempts to persist the policy blob for
the device-local account specified in the method call. Policy
is stored in the root-owned /var/lib/device_local_accounts
directory in the stateful partition. Signatures are checked
against the owner key, key rotation is not allowed.
-->
<method name="StoreDeviceLocalAccountPolicy">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
RetrieveDeviceLocalAccountPolicy:
@account_id: Account ID of the user whose policy is to be stored.
@policy_blob: Serialized protobuf containing a PolicyFetchResponse and a
signature over that policy.
Retrieves device-local account policy for the specified @account_id.
-->
<method name="RetrieveDeviceLocalAccountPolicy">
<arg type="s" name="account_id" direction="in" />
<arg type="ay" name="policy_blob" direction="out" />
</method>
<!--
SetOwnerKeyComplete:
Defined as login_manager::kOwnerKeySetSignal, broadcast when the request
to persist the policy key was completed.
@success: A string value with either "success" or "failure" indicating
whether the policy key was actually persisted.
-->
<signal name="SetOwnerKeyComplete">
<arg type="s" name="success" />
</signal>
<!--
PropertyChangeComplete:
Broadcast when a request to persist the policy blob file on disk was
completed.
@success: A string value with either "success" or "failure" indicating
whether the policy blob was actually persisted.
-->
<signal name="PropertyChangeComplete">
<arg type="s" name="success" />
</signal>
<!--
RetrieveSessionState:
@state: The current session state.
Get information about the current session. Will be one of
<quote>started</quote>, <quote>stopping</quote>, <quote>stopped</quote>.
-->
<method name="RetrieveSessionState">
<arg type="s" name="state" direction="out" />
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
RetrieveActiveSessions:
@sessions: A map describing the currently active user sessions.
Enumerate active user sessions.
@sessions is a dictionary mapping { username: sanitized_user_name }.
-->
<method name="RetrieveActiveSessions">
<arg type="a{ss}" name="sessions" direction="out" />
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
HandleSupervisedUserCreationStarting:
Handle notification from Chrome that creation of a supervised user is
underway. Browser crashes will trigger session termination until
someone calls HandleSupervisedUserCreationFinished.
-->
<method name="HandleSupervisedUserCreationStarting">
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
HandleSupervisedUserCreationFinished:
Handle notification from Chrome that creation of a supervised user is
completed. Browser crashes will once again trigger a browser restart.
-->
<method name="HandleSupervisedUserCreationFinished">
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
LockScreen:
Allows other processes to request screen locking.
Emits LockScreen signal to Chromium Browser to tell it to lock the
screen. The browser should call the HandleScreenLocked
method when the screen is actually locked.
-->
<method name="LockScreen" />
<!--
HandleLockScreenShown:
Handle notification from Chrome that the lock screen is visible.
Emits ScreenIsLocked.
-->
<method name="HandleLockScreenShown">
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
HandleLockScreenDismissed:
Handle notification from Chrome that the lock screen is hidden.
Emits ScreenIsUnlocked.
-->
<method name="HandleLockScreenDismissed">
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
ScreenIsLocked:
Broadcast that the browser locked the screen.
-->
<signal name="ScreenIsLocked" />
<!--
ScreenIsUnlocked:
Broadcast that the browser unlocked the screen.
-->
<signal name="ScreenIsUnlocked" />
<!--
RestartJob:
@cred_fd: File descriptor that provides PID to be restarted.
@argv: Command line arguments to restart the job with.
Restarts job with pid returned when querying @cred_fd using
SO_PEERCRED, replacing its command line arguments with those provided.
Only works for the browser process managed by the SessionManager.
-->
<method name="RestartJob">
<arg type="h" name="cred_fd" direction="in" />
<arg type="as" name="argv" direction="in" />
</method>
<!--
StartDeviceWipe:
Sets the device up to "Powerwash" on reboot, and triggers a reboot.
-->
<method name="StartDeviceWipe" />
<!--
StartTPMFirmwareUpdate:
@update_mode: Indicates the requested firmware update mode.
Requests a TPM firmware update to be installed. This will only
work immediately after boot while there hasn't been a user
session yet.
The idea behind the fresh boot requirement is that we
shouldn't expose the ability to trigger a firmware update to a
compromised browser processes. Only allowing it after a
(verified) reboot reduces chances that we're dealing with a
compromised browser process significantly.
Remotely managed devices rely on a remote device owner to take
device management decisions. Since updating TPM firmware is an
invasive process, we don't allow local users to trigger the
update on their own, but rely on device policy to confirm the
requested update_mode.
-->
<method name="StartTPMFirmwareUpdate">
<arg type="s" name="update_mode" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
SetFlagsForUser:
@account_id: Account ID of the user to set flags for.
@flags: array of flags to be set for the user.
Sets browser @flags to be applied on next in-session restart.
-->
<method name="SetFlagsForUser">
<arg type="s" name="account_id" direction="in" />
<arg type="as" name="flags" direction="in" />
<annotation name="org.chromium.DBus.Method.Kind" value="simple" />
</method>
<!--
GetServerBackedStateKeys:
@state_keys: The array of currently valid state keys.
Requests server-backed state keys to be computed and returned. A
server-backed state key is an opaque client-determined identifier that's
used to stage state in a server to be retrieved after device
recovery. These are used to figure out device state such as previous
enrollment domain and whether the device got marked as stolen by its
owner. The keys are time-dependent, with each key being valid only for a
window of time, and based on system time this call returns the currently
valid state key plus a number of subsequent state keys (all sorted by
time in ascending order) that span approximately a year of time in
coverage. It is the responsibility of the caller to ensure that the
system time is accurate before starting the request!
-->
<method name="GetServerBackedStateKeys">
<arg type="aay" name="state_keys" direction="out" />
<annotation name="org.chromium.DBus.Method.Kind" value="async" />
</method>
<!--
InitMachineInfo:
@data: A string containing newline-separated key=value pairs.
Initializes supplemental machine information for use by session manager
that has be asynchronously determined in the boot process after
starting session_manager. This method gets invoked by the ui-init-late
init job; nothing else should call this method.
-->
<method name="InitMachineInfo">
<arg type="s" name="data" direction="in" />
</method>
<!--
StartContainer:
@path: The path to the disk image that holds the container.
@hashed_username: User hash used to find the data of the active user.
@name: A string containing the name to give the container.
@writable: If true, mount the container R/W inside the VM.
Starts an untrusted container using a VM to sandbox it.
-->
<method name="StartContainer">
<arg type="s" name="path" direction="in" />
<arg type="s" name="hashed_username" direction="in" />
<arg type="s" name="name" direction="in" />
<arg type="b" name="writable" direction="in" />
</method>
<!--
StopContainer:
@name: A string containing the name of the container to stop.
Stops a currently running container.
-->
<method name="StopContainer">
<arg type="s" name="name" direction="in" />
</method>
<!--
StartArcInstance:
@request: Serialized StartArcInstanceRequest proto message containing
ARC startup options.
@container_instance_id: Output parameter containing an opaque
identifier for the container instance. The
ArcInstanceStopped signal will contain the same identifier.
An empty ID is returned when the container is not started
but is just turned from a limited purpose one (for login
screen) into a fully functional one.
@fd: Output parameter containing a file descriptor. Chrome can listen
to the server socket to establish a connection to the container's
arcbridgeservice. A dummy FD is returned when
|request.for_login_screen| is set. It is caller's responsibility
to close the returned FD regardless of whether it is dummy or not.
Starts an ARC instance. Only one instance of ARC can be executing at a
given point in time. When StartArcInstance is called when a limited
purpose container already exists, that container is turned into a fully
functional one. This method is only available if the board supports ARC.
This method gets invoked by Chrome.
-->
<method name="StartArcInstance">
<arg type="ay" name="request" direction="in" />
<arg type="s" name="container_instance_id" direction="out" />
<arg type="h" name="fd" direction="out" />
</method>
<!--
StopArcInstance:
Stops the currently running ARC instance. Used to manually stop the ARC
instance. If the instance is not running, this will result in a no-op.
If this method is not called, session_manager will still stop the
instance when the user's session ends. This method is only available if
the board supports ARC. This method gets invoked by Chrome.
-->
<method name="StopArcInstance" />
<!--
ArcInstanceStopped:
@clean: True if the stopping instance is initiated intentionally. False
otherwise, like unexpected instance crash.
@container_instance_id: opaque identifier of the stopped container.
See also StartArcInstance.
Sent when ARC instance is stopped. Maybe clean shutdown, or crash.
-->
<signal name="ArcInstanceStopped">
<arg type="b" name="clean" />
<arg type="s" name="container_instance_id" />
</signal>
<!--
SetArcCpuRestriction:
@restriction_state: State used to set the level of CPU allowed specified
as foreground or background with the
|login_manager::ContainerCpuRestrictionState| enum.
Adjusts the amount of CPU the ARC instance is allowed to use by setting
the cpu.shares value of ARC's cpu cgroup. When restriction_state is
CONTAINER_CPU_RESTRICTION_FOREGROUND the limit is adjusted so ARC can
use all the system's CPU if needed. When restriction_state is
CONTAINER_CPU_RESTRICTION_BACKGROUND, cpu.shares is set back to a
tightly restricted level. The ARC container is started in a state that
is more restricted than CONTAINER_CPU_RESTRICTION_BACKGROUND. This
startup state is to allow Chrome to restore during login and can't be
re-entered after startup is complete.
Calling the method while the instance is not running *is* okay as long
as the cgroups exist.
-->
<method name="SetArcCpuRestriction">
<arg type="u" name="restriction_state" direction="in" />
</method>
<!--
EmitArcBooted:
Emits the "arc-booted" upstart signal on the browser's behalf.
-->
<method name="EmitArcBooted">
<arg type="s" name="account_id" direction="in" />
</method>
<!--
GetArcStartTimeTicks:
Returns the value of start time (base::TimeTicks::ToInternalValue()) of
the ARC instance if exists, otherwise an error will be returned
accordingly i.e. ARC is not available on the platform or ARC is not
started.
-->
<method name="GetArcStartTimeTicks">
<arg type="x" name="start_time" direction="out" />
</method>
<!--
RemoveArcData:
@account_id: Account ID of the user whose ARC data is removed.
Removes ARC data from the user's profile. This does not remove ARC
system data such as root images.
-->
<method name="RemoveArcData">
<arg type="s" name="account_id" direction="in" />
</method>
</interface>
<!-- ********************************************************************* -->
</node>