[fuchsia] Whitelist required Fuchsia services in component manifest.

The application manager will require components to explicitly declare
the services which they depend on in the component manifest.

This CL defines new, more granular "sandbox_policy" files
which specifies the minimal list of required features and services for
each type of package.


Bug: 750938

Change-Id: Iec3b4e5abe96d81a9e4e149a2a1d9e387d55ab42
Reviewed-on: https://chromium-review.googlesource.com/1208444Reviewed-by: Alex Sakhartchouk <alexst@chromium.org>
Reviewed-by: Michael Spang <spang@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: John Budorick <jbudorick@chromium.org>
Reviewed-by: Kevin Marshall <kmarshall@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Commit-Queue: Kevin Marshall <kmarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590799}

BUILD.gn

@@ -752,11 +752,13 @@ if (is_fuchsia) {
   # TODO(https://crbug.com/731217): This can't practically be in //v8 without
   # duplicating all the Fuchsia running infrastructure there.
   fuchsia_package("d8_fuchsia_pkg") {
+    testonly = true
     binary = "//v8:d8"
     package_name_override = "d8"
   }
 
   fuchsia_package_runner("d8_fuchsia") {
+    testonly = true
     package = ":d8_fuchsia_pkg"
     package_name_override = "d8"
   }

build/config/fuchsia/package.gni

@@ -12,7 +12,9 @@ import("//build/config/sysroot.gni")
 #     if different than |target_name|.
 # binary: The executable target which should be launched.
 # sandbox_policy: A path to the sandbox_policy that will be used.
-#     Defaults to //build/config/fuchsia/sandbox_policy.
+#     "testonly" targets default to using
+#     //build/config/fuchsia/testing_sandbox_policy by default.
+#     Non-test targets must explicitly specify a |sandbox_policy|.
 # deps: Additional targets to build and include in the package (optional).
 template("fuchsia_package") {
   pkg = {
@@ -25,7 +27,8 @@ template("fuchsia_package") {
     }
 
     if (!defined(sandbox_policy)) {
-      sandbox_policy = "//build/config/fuchsia/sandbox_policy"
+      assert(testonly == true)
+      sandbox_policy = "//build/config/fuchsia/testing_sandbox_policy"
     }
   }
   assert(defined(pkg.binary))

build/config/fuchsia/sandbox_policy

-{
-  "features": [ "persistent-storage", "root-ssl-certificates", "system-temp",
-      "deprecated-all-services", "vulkan" ]
-}

build/config/fuchsia/testing_sandbox_policy

 {
   "features": [ "persistent-storage", "root-ssl-certificates", "system-temp",
-      "deprecated-all-services", "vulkan" ],
-  "dev": ["null", "zero"]
+      "vulkan" ],
+  "dev": ["null", "zero"],
+  "services": [
+      "fuchsia.fonts.FontProvider",
+      "fuchsia.media.Audio",
+      "fuchsia.net.LegacySocketProvider",
+      "fuchsia.netstack.Netstack",
+      "fuchsia.process.Launcher",
+      "fuchsia.ui.policy.Presenter",
+      "fuchsia.ui.scenic.Scenic",
+      "fuchsia.ui.viewsv1.ViewManager"
+  ]
 }

headless/BUILD.gn

@@ -893,6 +893,7 @@ if (is_fuchsia) {
   fuchsia_package("headless_shell_pkg") {
     binary = ":headless_shell"
     package_name_override = "headless_shell"
+    sandbox_policy = "//build/config/fuchsia/testing_sandbox_policy"
   }
 
   fuchsia_package_runner("headless_shell_fuchsia") {

testing/test.gni

@@ -275,7 +275,6 @@ template("test") {
 
     fuchsia_package(_pkg_target) {
       testonly = true
-      sandbox_policy = "//build/config/fuchsia/testing_sandbox_policy"
       binary = ":$_exec_target"
       package_name_override = _output_name
     }

ui/ozone/demo/BUILD.gn

@@ -101,11 +101,13 @@ executable("skia_demo") {
 
 if (is_fuchsia) {
   fuchsia_package("ozone_demo_pkg") {
+    testonly = true
     binary = ":ozone_demo"
     package_name_override = "ozone_demo"
   }
 
   fuchsia_package_runner("ozone_demo_fuchsia") {
+    testonly = true
     package = ":ozone_demo_pkg"
     package_name_override = "ozone_demo"
   }

webrunner/BUILD.gn

@@ -17,6 +17,7 @@ config("webrunner_implementation") {
 fuchsia_package("webrunner_pkg") {
   binary = ":webrunner_exe"
   package_name_override = "web_runner"
+  sandbox_policy = "app/sandbox_policy"
 }
 
 fuchsia_package_runner("webrunner") {
@@ -47,6 +48,7 @@ executable("webrunner_exe") {
 fuchsia_package("service_pkg") {
   binary = ":service_exe"
   package_name_override = "chromium"
+  sandbox_policy = "service/sandbox_policy"
 }
 
 executable("service_exe") {

webrunner/app/sandbox_policy

+{
+  "features": [],
+  "services": [
+      "chromium.web.ContextProvider",
+      "fuchsia.fonts.FontProvider",
+      "fuchsia.media.Audio",
+      "fuchsia.net.LegacySocketProvider",
+      "fuchsia.netstack.Netstack",
+      "fuchsia.process.Launcher",
+      "fuchsia.ui.scenic.Scenic",
+      "fuchsia.ui.viewsv1.ViewManager"
+  ]
+}

webrunner/net_http/BUILD.gn

@@ -29,6 +29,7 @@ executable("http_service") {
 fuchsia_package("http_pkg") {
   binary = ":http_service"
   package_name_override = "http"
+  sandbox_policy = "sandbox_policy"
 }
 
 fuchsia_package_runner("http_pkg_runner") {

webrunner/net_http/sandbox_policy

+{
+  "features": [ "root-ssl-certificates" ],
+  "services": [
+      "fuchsia.net.LegacySocketProvider",
+      "fuchsia.netstack.Netstack"
+  ]
+}

webrunner/service/sandbox_policy

+{
+  "features": [ "root-ssl-certificates", "vulkan" ],
+  "services": [
+    "fuchsia.process.Launcher"
+  ]
+}