VCD: Generate token for CameraHalServer

Generates the token for CameraHalServer for it to be used for
RegisterServerWithToken.

Bug: b/170075468
Test: Build, deploy simplechrome, and verify the server token is
generated.

Change-Id: If3feaa7c06aa67bfbd478d4d0b5aedf22847ff0c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2534552
Commit-Queue: Jasmine Chen <lnishan@google.com>
Reviewed-by: Wei Lee <wtlee@chromium.org>
Cr-Commit-Position: refs/heads/master@{#828211}

media/capture/video/chromeos/camera_hal_dispatcher_impl.cc

@@ -127,6 +127,13 @@ bool CameraHalDispatcherImpl::Start(
   jea_factory_ = std::move(jea_factory);
   base::WaitableEvent started(base::WaitableEvent::ResetPolicy::MANUAL,
                               base::WaitableEvent::InitialState::NOT_SIGNALED);
+  // It's important we generate tokens before creating the socket, because once
+  // it is available, everyone connecting to socket would start fetching
+  // tokens.
+  if (!token_manager_.GenerateServerToken()) {
+    LOG(ERROR) << "Failed to generate authentication token for server";
+    return false;
+  }
   blocking_io_task_runner_->PostTask(
       FROM_HERE,
       base::BindOnce(&CameraHalDispatcherImpl::CreateSocket,

media/capture/video/chromeos/token_manager.cc

@@ -4,11 +4,72 @@
 
 #include "media/capture/video/chromeos/token_manager.h"
 
+#include <grp.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <string>
+
+#include <base/files/file_path.h>
+#include <base/files/file_util.h>
+#include <base/strings/string_number_conversions.h>
+#include <base/strings/string_util.h>
+
+namespace {
+
+gid_t GetArcCameraGid() {
+  auto* group = getgrnam("arc-camera");
+  return group != nullptr ? group->gr_gid : 0;
+}
+
+bool EnsureTokenDirectoryExists(const base::FilePath& token_path) {
+  static const gid_t gid = GetArcCameraGid();
+  if (gid == 0) {
+    LOG(ERROR) << "Failed to query the GID of arc-camera";
+    return false;
+  }
+
+  base::FilePath dir_name = token_path.DirName();
+  if (!base::CreateDirectory(dir_name) ||
+      !base::SetPosixFilePermissions(dir_name, 0770)) {
+    LOG(ERROR) << "Failed to create token directory at "
+               << token_path.AsUTF8Unsafe();
+    return false;
+  }
+
+  if (chown(dir_name.AsUTF8Unsafe().c_str(), -1, gid) != 0) {
+    LOG(ERROR) << "Failed to chown token directory to arc-camera";
+    return false;
+  }
+  return true;
+}
+
+}  // namespace
+
 namespace media {
 
 TokenManager::TokenManager() = default;
 TokenManager::~TokenManager() = default;
 
+bool TokenManager::GenerateServerToken() {
+  static constexpr char kServerTokenPath[] = "/run/camera_tokens/server/token";
+  base::FilePath token_path(kServerTokenPath);
+
+  if (!EnsureTokenDirectoryExists(token_path)) {
+    LOG(ERROR) << "Failed to ensure server token directory exists";
+    return false;
+  }
+  base::File token_file(
+      token_path, base::File::FLAG_CREATE_ALWAYS | base::File::FLAG_WRITE);
+  if (!token_file.IsValid()) {
+    LOG(ERROR) << "Failed to create server token file";
+    return false;
+  }
+  server_token_ = base::UnguessableToken::Create();
+  std::string token_string = server_token_.ToString();
+  token_file.WriteAtCurrentPos(token_string.c_str(), token_string.length());
+  return true;
+}
+
 base::UnguessableToken TokenManager::GetTokenForTrustedClient(
     cros::mojom::CameraClientType type) {
   // pluginvm's token should be generated by vm_permission_service.

media/capture/video/chromeos/token_manager.h

@@ -16,6 +16,8 @@ class TokenManager {
   TokenManager();
   ~TokenManager();
 
+  bool GenerateServerToken();
+
   base::UnguessableToken GetTokenForTrustedClient(
       cros::mojom::CameraClientType type);
 
@@ -23,6 +25,7 @@ class TokenManager {
                           const base::UnguessableToken& token);
 
  private:
+  base::UnguessableToken server_token_;
   base::flat_map<cros::mojom::CameraClientType, base::UnguessableToken>
       client_token_map_;
 };