Rename UnsafeBitmap to BitmapMappingFromTrustedProcess

This explains more what is unsafe about this mojom, and add additional
comments explaining when it is okay to use this and discouraging
general use.

R=darin@chromium.org, dcheng@chromium.org

Bug: 1144462
Change-Id: I735da27d649394f2e196d99f6b63444e370e9586
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2545203Reviewed-by: Darin Fisher <darin@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/master@{#828755}

chromeos/crosapi/mojom/screen_manager.mojom

@@ -28,8 +28,9 @@ interface SnapshotCapturer {
   // Captures a bitmap snapshot of the specified screen or window. If |success|
   // is false, that may indicate that the specified source no longer exists.
   [Sync]
-  TakeSnapshot@1(uint64 id) => (bool success,
-                                skia.mojom.UnsafeBitmap? snapshot);
+  TakeSnapshot@1(uint64 id) =>
+      (bool success,
+       skia.mojom.BitmapMappedFromTrustedProcess? snapshot);
 };
 
 // This interface is implemented by ash-chrome. It allows lacros-chrome to query

skia/public/mojom/BUILD.gn

@@ -58,7 +58,7 @@ mojom("mojom") {
           nullable_is_same_type = true
         },
         {
-          mojom = "skia.mojom.UnsafeBitmap"
+          mojom = "skia.mojom.BitmapMappedFromTrustedProcess"
           cpp = "::SkBitmap"
           nullable_is_same_type = true
         },

skia/public/mojom/bitmap.mojom

@@ -17,16 +17,17 @@ struct Bitmap {
 
 // Similar to above, but the generated bindings avoid copying pixel data on the
 // receiving side of an IPC message. That can be a valuable optimization for
-// large bitmaps. However, this is unsafe for some applications as it leaves
-// open the possibility for the sender to continue to modify the pixel data,
-// which could lead to TOCTOU issues. Use this type *only* when the sender is
-// trusted.
+// large bitmaps. However, this is DANGEROUS as it leaves open the possibility
+// for the sender to continue to modify the pixel data, which could lead to
+// TOCTOU issues. Use this type *only* when the sender is fully trusted (and
+// a compromise there would already mean system compromise), such as from the
+// browser process.
 //
 // NOTE: It is important that the fields of this struct exactly match the
 // fields of the Bitmap struct. This enables stable interfaces to freely
 // migrate between these two types in a compatible fashion.
-[Stable]
-struct UnsafeBitmap {
+[Stable, RenamedFrom="skia.mojom.UnsafeBitmap"]
+struct BitmapMappedFromTrustedProcess {
   ImageInfo image_info;
   uint64 row_bytes;
   mojo_base.mojom.BigBuffer pixel_data;

skia/public/mojom/bitmap_skbitmap_mojom_traits.cc

@@ -107,40 +107,43 @@ bool StructTraits<skia::mojom::BitmapDataView, SkBitmap>::Read(
 }
 
 // static
-bool StructTraits<skia::mojom::UnsafeBitmapDataView, SkBitmap>::IsNull(
-    const SkBitmap& b) {
+bool StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+                  SkBitmap>::IsNull(const SkBitmap& b) {
   return b.isNull();
 }
 
 // static
-void StructTraits<skia::mojom::UnsafeBitmapDataView, SkBitmap>::SetToNull(
-    SkBitmap* b) {
+void StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+                  SkBitmap>::SetToNull(SkBitmap* b) {
   b->reset();
 }
 
 // static
-const SkImageInfo& StructTraits<skia::mojom::UnsafeBitmapDataView,
-                                SkBitmap>::image_info(const SkBitmap& b) {
+const SkImageInfo&
+StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+             SkBitmap>::image_info(const SkBitmap& b) {
   return b.info();
 }
 
 // static
-uint64_t StructTraits<skia::mojom::UnsafeBitmapDataView, SkBitmap>::row_bytes(
-    const SkBitmap& b) {
+uint64_t StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+                      SkBitmap>::row_bytes(const SkBitmap& b) {
   return b.rowBytes();
 }
 
 // static
-mojo_base::BigBufferView StructTraits<skia::mojom::UnsafeBitmapDataView,
-                                      SkBitmap>::pixel_data(const SkBitmap& b) {
+mojo_base::BigBufferView
+StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+             SkBitmap>::pixel_data(const SkBitmap& b) {
   return mojo_base::BigBufferView(base::make_span(
       static_cast<uint8_t*>(b.getPixels()), b.computeByteSize()));
 }
 
 // static
-bool StructTraits<skia::mojom::UnsafeBitmapDataView, SkBitmap>::Read(
-    skia::mojom::UnsafeBitmapDataView data,
-    SkBitmap* b) {
+bool StructTraits<
+    skia::mojom::BitmapMappedFromTrustedProcessDataView,
+    SkBitmap>::Read(skia::mojom::BitmapMappedFromTrustedProcessDataView data,
+                    SkBitmap* b) {
   SkImageInfo image_info;
   if (!data.ReadImageInfo(&image_info))
     return false;

skia/public/mojom/bitmap_skbitmap_mojom_traits.h

@@ -30,13 +30,15 @@ struct COMPONENT_EXPORT(SKIA_SHARED_TRAITS)
 
 template <>
 struct COMPONENT_EXPORT(SKIA_SHARED_TRAITS)
-    StructTraits<skia::mojom::UnsafeBitmapDataView, SkBitmap> {
+    StructTraits<skia::mojom::BitmapMappedFromTrustedProcessDataView,
+                 SkBitmap> {
   static bool IsNull(const SkBitmap& b);
   static void SetToNull(SkBitmap* b);
   static const SkImageInfo& image_info(const SkBitmap& b);
   static uint64_t row_bytes(const SkBitmap& b);
   static mojo_base::BigBufferView pixel_data(const SkBitmap& b);
-  static bool Read(skia::mojom::UnsafeBitmapDataView data, SkBitmap* b);
+  static bool Read(skia::mojom::BitmapMappedFromTrustedProcessDataView data,
+                   SkBitmap* b);
 };
 
 template <>