Add Speech Recognition Sandbox on MacOS

This CL defines the sandbox for the speech recognition process on MacOS
that will be used by the Live Caption feature (go/chrome-live-caption).

Bug: 1131611
Change-Id: I10a52fb6a2568ccbfce68d44a81b0c3b333e250f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2426970
Commit-Queue: Evan Liu <evliu@google.com>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#811972}

chrome/browser/BUILD.gn

@@ -2114,6 +2114,7 @@ static_library("browser") {
     "//components/signin/public/identity_manager",
     "//components/signin/public/webdata",
     "//components/site_isolation",
+    "//components/soda:constants",
     "//components/spellcheck:buildflags",
     "//components/sqlite_proto",
     "//components/ssl_errors",
@@ -4718,6 +4719,8 @@ static_library("browser") {
       "//chrome/browser/ui/cocoa/notifications:common",
       "//components/crash/core/app",
       "//components/metal_util",
+      "//sandbox/mac:seatbelt",
+      "//sandbox/policy",
       "//services/video_capture/public/mojom:constants",
       "//third_party/crashpad/crashpad/client",
       "//third_party/google_toolbox_for_mac",

chrome/browser/DEPS

@@ -263,6 +263,7 @@ include_rules = [
   "+components/signin/core/browser",
   "+components/signin/public",
   "+components/site_isolation",
+  "+components/soda",
   "+components/spellcheck",
   "+components/sqlite_proto",
   "+components/ssl_errors",
@@ -348,7 +349,8 @@ include_rules = [
   "+ppapi/proxy",
   "+ppapi/shared_impl",
   "+rlz",
-  "+sandbox/win/src",  # The path doesn't say it, but this is the Windows sandbox.
+  "+sandbox/mac",
+  "+sandbox/win/src",
   "+services/audio/public",
   "+services/cert_verifier",
   "+services/data_decoder/public",

chrome/browser/chrome_content_browser_client.cc

@@ -382,6 +382,9 @@
 #elif defined(OS_MAC)
 #include "chrome/browser/apps/intent_helper/mac_apps_navigation_throttle.h"
 #include "chrome/browser/chrome_browser_main_mac.h"
+#include "components/soda/constants.h"
+#include "sandbox/mac/seatbelt_exec.h"
+#include "sandbox/policy/mac/sandbox_mac.h"
 #elif defined(OS_CHROMEOS)
 #include "ash/public/cpp/ash_pref_names.h"
 #include "ash/public/cpp/tablet_mode.h"
@@ -5829,3 +5832,28 @@ bool ChromeContentBrowserClient::ShouldAllowInsecurePrivateNetworkRequests(
 ukm::UkmService* ChromeContentBrowserClient::GetUkmService() {
   return g_browser_process->GetMetricsServicesManager()->GetUkmService();
 }
+
+#if defined(OS_MAC)
+bool ChromeContentBrowserClient::SetupEmbedderSandboxParameters(
+    sandbox::policy::SandboxType sandbox_type,
+    sandbox::SeatbeltExecClient* client) {
+  if (sandbox_type == sandbox::policy::SandboxType::kSpeechRecognition) {
+    base::FilePath soda_component_path = speech::GetSodaDirectory();
+    CHECK(!soda_component_path.empty());
+    CHECK(client->SetParameter(
+        sandbox::policy::SandboxMac::kSandboxSodaComponentPath,
+        soda_component_path.value()));
+
+    base::FilePath soda_language_pack_path =
+        speech::GetSodaLanguagePacksDirectory();
+    CHECK(!soda_language_pack_path.empty());
+    CHECK(client->SetParameter(
+        sandbox::policy::SandboxMac::kSandboxSodaLanguagePackPath,
+        soda_language_pack_path.value()));
+    return true;
+  }
+
+  return false;
+}
+
+#endif  // defined(OS_MAC)

chrome/browser/chrome_content_browser_client.h

@@ -68,6 +68,10 @@ class SafeBrowsingService;
 class UrlCheckerDelegate;
 }  // namespace safe_browsing
 
+namespace sandbox {
+class SeatbeltExecClient;
+}  // namespace sandbox
+
 namespace ui {
 class NativeTheme;
 }
@@ -697,6 +701,12 @@ class ChromeContentBrowserClient : public content::ContentBrowserClient {
       const GURL& url) override;
   ukm::UkmService* GetUkmService() override;
 
+#if defined(OS_MAC)
+  bool SetupEmbedderSandboxParameters(
+      sandbox::policy::SandboxType sandbox_type,
+      sandbox::SeatbeltExecClient* client) override;
+#endif  // defined(OS_MAC)
+
  protected:
   static bool HandleWebUI(GURL* url, content::BrowserContext* browser_context);
   static bool HandleWebUIReverse(GURL* url,

content/browser/sandbox_parameters_mac.mm

@@ -219,7 +219,6 @@ void SetupSandboxParameters(sandbox::policy::SandboxType sandbox_type,
                             sandbox::SeatbeltExecClient* client) {
   switch (sandbox_type) {
     case sandbox::policy::SandboxType::kAudio:
-    case sandbox::policy::SandboxType::kSpeechRecognition:
     case sandbox::policy::SandboxType::kNaClLoader:
     case sandbox::policy::SandboxType::kPrintCompositor:
     case sandbox::policy::SandboxType::kRenderer:
@@ -247,6 +246,12 @@ void SetupSandboxParameters(sandbox::policy::SandboxType sandbox_type,
     case sandbox::policy::SandboxType::kVideoCapture:
       CHECK(false) << "Unhandled parameters for sandbox_type "
                    << static_cast<int>(sandbox_type);
+      break;
+    // Setup parameters for sandbox types handled by embedders below.
+    case sandbox::policy::SandboxType::kSpeechRecognition:
+      SetupCommonSandboxParameters(client);
+      CHECK(GetContentClient()->browser()->SetupEmbedderSandboxParameters(
+          sandbox_type, client));
   }
 }
 

content/public/browser/content_browser_client.cc

@@ -1144,4 +1144,12 @@ ukm::UkmService* ContentBrowserClient::GetUkmService() {
   return nullptr;
 }
 
+#if defined(OS_MAC)
+bool ContentBrowserClient::SetupEmbedderSandboxParameters(
+    sandbox::policy::SandboxType sandbox_type,
+    sandbox::SeatbeltExecClient* client) {
+  return false;
+}
+#endif  // defined(OS_MAC)
+
 }  // namespace content

content/public/browser/content_browser_client.h

@@ -156,6 +156,7 @@ struct ResourceRequest;
 }  // namespace network
 
 namespace sandbox {
+class SeatbeltExecClient;
 class TargetPolicy;
 namespace policy {
 enum class SandboxType;
@@ -1916,6 +1917,15 @@ class CONTENT_EXPORT ContentBrowserClient {
 
   // Returns the URL-Keyed Metrics service for chrome:ukm.
   virtual ukm::UkmService* GetUkmService();
+
+#if defined(OS_MAC)
+  // Sets up the embedder sandbox parameters for the given sandbox type. Returns
+  // true if parameters were successfully set up or false if no additional
+  // parameters were set up.
+  virtual bool SetupEmbedderSandboxParameters(
+      sandbox::policy::SandboxType sandbox_type,
+      sandbox::SeatbeltExecClient* client);
+#endif  // defined(OS_MAC)
 };
 
 }  // namespace content

sandbox/policy/mac/BUILD.gn

@@ -15,6 +15,7 @@ action_foreach("package_sb_files") {
     "ppapi.sb",
     "print_compositor.sb",
     "renderer.sb",
+    "speech_recognition.sb",
     "utility.sb",
   ]
   outputs = [

sandbox/policy/mac/sandbox_mac.h

@@ -46,6 +46,8 @@ class SANDBOX_POLICY_EXPORT SandboxMac {
   static const char* kSandboxBrowserPID;
   static const char* kSandboxBundlePath;
   static const char* kSandboxChromeBundleId;
+  static const char* kSandboxSodaComponentPath;
+  static const char* kSandboxSodaLanguagePackPath;
   static const char* kSandboxComponentPath;
   static const char* kSandboxDisableDenialLogging;
   static const char* kSandboxEnableLogging;

sandbox/policy/mac/sandbox_mac.mm

@@ -48,6 +48,7 @@
 #include "sandbox/policy/mac/ppapi.sb.h"
 #include "sandbox/policy/mac/print_compositor.sb.h"
 #include "sandbox/policy/mac/renderer.sb.h"
+#include "sandbox/policy/mac/speech_recognition.sb.h"
 #include "sandbox/policy/mac/utility.sb.h"
 #include "sandbox/policy/sandbox_type.h"
 #include "sandbox/policy/switches.h"
@@ -59,6 +60,9 @@ namespace policy {
 const char* SandboxMac::kSandboxBrowserPID = "BROWSER_PID";
 const char* SandboxMac::kSandboxBundlePath = "BUNDLE_PATH";
 const char* SandboxMac::kSandboxChromeBundleId = "BUNDLE_ID";
+const char* SandboxMac::kSandboxSodaComponentPath = "SODA_COMPONENT_PATH";
+const char* SandboxMac::kSandboxSodaLanguagePackPath =
+    "SODA_LANGUAGE_PACK_PATH";
 const char* SandboxMac::kSandboxComponentPath = "COMPONENT_PATH";
 const char* SandboxMac::kSandboxDisableDenialLogging =
     "DISABLE_SANDBOX_DENIAL_LOGGING";
@@ -254,6 +258,9 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) {
     case SandboxType::kPrintCompositor:
       profile += kSeatbeltPolicyString_print_compositor;
       break;
+    case SandboxType::kSpeechRecognition:
+      profile += kSeatbeltPolicyString_speech_recognition;
+      break;
     case SandboxType::kUtility:
       profile += kSeatbeltPolicyString_utility;
       break;
@@ -262,7 +269,6 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) {
       break;
     case SandboxType::kNoSandbox:
     case SandboxType::kVideoCapture:
-    case SandboxType::kSpeechRecognition:
       CHECK(false);
       break;
   }

sandbox/policy/mac/speech_recognition.sb

+; Copyright 2020 The Chromium Authors. All rights reserved.
+; Use of this source code is governed by a BSD-style license that can be
+; found in the LICENSE file.
+
+; --- The contents of common.sb implicitly included here. ---
+
+; Required to load the libsoda.so binary downloaded by the component
+; updater.
+(define soda-component-path "SODA_COMPONENT_PATH")
+(allow file-read* (subpath (param soda-component-path)))
+
+; Required to load the language pack files used by the Speech On-Device
+; API (SODA).
+(define soda-language-pack-path "SODA_LANGUAGE_PACK_PATH")
+(allow file-read* (subpath (param soda-language-pack-path)))
\ No newline at end of file