[fuchsia] Add video capture type to sandbox types

Add a minimally-privileged sandbox. This is used by the
VideoCaptureService under Fuchsia, but is equivalent to no sandbox on
other platforms.

Bug: 998310
Test: CQ
Change-Id: I418d05b96e7489ab2bb0db6f7c360db7390d7c72
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2161618Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Sharon Yang <yangsharon@chromium.org>
Cr-Commit-Position: refs/heads/master@{#763530}

chrome/browser/chrome_content_browser_client.cc

@@ -3597,6 +3597,7 @@ base::string16 ChromeContentBrowserClient::GetAppContainerSidForSandboxType(
     case service_manager::SandboxType::kProxyResolver:
     case service_manager::SandboxType::kPdfConversion:
     case service_manager::SandboxType::kSharingService:
+    case service_manager::SandboxType::kVideoCapture:
       // Should never reach here.
       CHECK(0);
       return base::string16();

chrome/browser/ui/webui/sandbox/sandbox_handler.cc

@@ -60,6 +60,8 @@ std::string GetSandboxTypeInEnglish(content::SandboxType sandbox_type) {
       return "PDF Conversion";
     case content::SandboxType::kSharingService:
       return "Sharing";
+    case content::SandboxType::kVideoCapture:
+      return "Video Capture";
   }
 }
 

content/browser/child_process_launcher_helper_fuchsia.cc

@@ -33,6 +33,8 @@ const char* ProcessNameFromSandboxType(
       return "gpu";
     case service_manager::SandboxType::kNetwork:
       return "network";
+    case service_manager::SandboxType::kVideoCapture:
+      return "video-capture";
     default:
       NOTREACHED() << "Unknown sandbox_type.";
       return nullptr;

content/browser/sandbox_parameters_mac.mm

@@ -244,6 +244,7 @@ void SetupSandboxParameters(service_manager::SandboxType sandbox_type,
       SetupUtilitySandboxParameters(client, command_line);
       break;
     case service_manager::SandboxType::kNoSandbox:
+    case service_manager::SandboxType::kVideoCapture:
       CHECK(false) << "Unhandled parameters for sandbox_type "
                    << static_cast<int>(sandbox_type);
   }

content/browser/utility_process_host.cc

@@ -88,6 +88,7 @@ class UtilitySandboxedProcessLauncherDelegate
         sandbox_type_ == service_manager::SandboxType::kCdm ||
         sandbox_type_ == service_manager::SandboxType::kPrintCompositor ||
         sandbox_type_ == service_manager::SandboxType::kPpapi ||
+        sandbox_type_ == service_manager::SandboxType::kVideoCapture ||
 #if defined(OS_CHROMEOS)
         sandbox_type_ == service_manager::SandboxType::kIme ||
 #endif  // OS_CHROMEOS

content/browser/utility_process_sandbox_browsertest.cc

@@ -95,10 +95,13 @@ class UtilityProcessSandboxBrowserTest
   void OnGotSandboxStatusOnIOThread(int32_t sandbox_status) {
     DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
-    // Aside from kNoSandox, every utility process launched explicitly with a
+    // Aside from kNoSandbox, every utility process launched explicitly with a
     // sandbox type should always end up with a sandbox.
+    // kVideoCapture is equivalent to kNoSandbox on all platforms except
+    // Fuchsia.
     switch (GetParam()) {
       case SandboxType::kNoSandbox:
+      case SandboxType::kVideoCapture:
         EXPECT_EQ(sandbox_status, 0);
         break;
 

content/browser/video_capture_service.cc

@@ -112,7 +112,7 @@ video_capture::mojom::VideoCaptureService& GetVideoCaptureService() {
           std::move(receiver),
           ServiceProcessHost::Options()
               .WithDisplayName("Video Capture")
-              .WithSandboxType(service_manager::SandboxType::kNoSandbox)
+              .WithSandboxType(service_manager::SandboxType::kVideoCapture)
 #if defined(OS_MACOSX)
               // On Mac, the service requires a CFRunLoop which is provided by a
               // UI message loop. See https://crbug.com/834581.

services/service_manager/sandbox/BUILD.gn

@@ -118,6 +118,7 @@ component("sandbox") {
     ]
 
     deps += [
+      "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.camera3",
       "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.fonts",
       "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.intl",
       "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.logger",

services/service_manager/sandbox/fuchsia/sandbox_policy_fuchsia.cc

@@ -9,6 +9,7 @@
 #include <zircon/processargs.h>
 #include <zircon/syscalls/policy.h>
 
+#include <fuchsia/camera3/cpp/fidl.h>
 #include <fuchsia/fonts/cpp/fidl.h>
 #include <fuchsia/intl/cpp/fidl.h>
 #include <fuchsia/logger/cpp/fidl.h>
@@ -103,6 +104,13 @@ constexpr SandboxConfig kRendererConfig = {
     kAmbientMarkVmoAsExecutable,
 };
 
+constexpr SandboxConfig kVideoCaptureConfig = {
+    base::make_span((const char* const[]){
+        fuchsia::camera3::DeviceWatcher::Name_,
+    }),
+    0,
+};
+
 // No-access-to-anything.
 constexpr SandboxConfig kEmptySandboxConfig = {
     base::span<const char* const>(),
@@ -121,6 +129,8 @@ const SandboxConfig* GetConfigForSandboxType(SandboxType type) {
       return &kRendererConfig;
     case SandboxType::kWebContext:
       return &kWebContextConfig;
+    case SandboxType::kVideoCapture:
+      return &kVideoCaptureConfig;
     // Remaining types receive no-access-to-anything.
     case SandboxType::kAudio:
     case SandboxType::kCdm:

services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc

@@ -188,6 +188,7 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
 #endif  // defined(OS_CHROMEOS)
     case SandboxType::kZygoteIntermediateSandbox:
     case SandboxType::kNoSandbox:
+    case SandboxType::kVideoCapture:
       NOTREACHED();
       return nullptr;
   }
@@ -234,6 +235,7 @@ void SandboxSeccompBPF::RunSandboxSanityChecks(
     case SandboxType::kNetwork:
     case SandboxType::kUtility:
     case SandboxType::kNoSandbox:
+    case SandboxType::kVideoCapture:
     case SandboxType::kZygoteIntermediateSandbox:
       // Otherwise, no checks required.
       break;

services/service_manager/sandbox/mac/sandbox_mac.mm

@@ -261,6 +261,7 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) {
       profile += service_manager::kSeatbeltPolicyString_renderer;
       break;
     case service_manager::SandboxType::kNoSandbox:
+    case service_manager::SandboxType::kVideoCapture:
     case service_manager::SandboxType::kSpeechRecognition:
       CHECK(false);
       break;

services/service_manager/sandbox/sandbox_type.cc

@@ -30,6 +30,12 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
 #endif
     case SandboxType::kAudio:
       return !IsAudioSandboxEnabled();
+    case SandboxType::kVideoCapture:
+#if defined(OS_FUCHSIA)
+      return false;
+#else
+      return true;
+#endif
     case SandboxType::kNetwork:
 #if defined(OS_MACOSX)
       return false;
@@ -105,6 +111,7 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line,
     case SandboxType::kCdm:
     case SandboxType::kPrintCompositor:
     case SandboxType::kAudio:
+    case SandboxType::kVideoCapture:
 #if defined(OS_WIN)
     case SandboxType::kXrCompositing:
     case SandboxType::kProxyResolver:
@@ -215,6 +222,8 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) {
       return switches::kUtilitySandbox;
     case SandboxType::kAudio:
       return switches::kAudioSandbox;
+    case SandboxType::kVideoCapture:
+      return switches::kVideoCaptureSandbox;
 #if !defined(OS_MACOSX)
     case SandboxType::kSharingService:
       return switches::kSharingServiceSandbox;
@@ -283,6 +292,8 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) {
     return SandboxType::kAudio;
   if (sandbox_string == switches::kSpeechRecognitionSandbox)
     return SandboxType::kSpeechRecognition;
+  if (sandbox_string == switches::kVideoCaptureSandbox)
+    return SandboxType::kVideoCapture;
 #if defined(OS_CHROMEOS)
   if (sandbox_string == switches::kImeSandbox)
     return SandboxType::kIme;

services/service_manager/sandbox/sandbox_type.h

@@ -84,7 +84,11 @@ enum class SandboxType {
   // The speech recognition service process.
   kSpeechRecognition,
 
-  kMaxValue = kSpeechRecognition
+  // Equivalent to no sandbox on all non-Fuchsia platforms.
+  // Minimally privileged sandbox on Fuchsia.
+  kVideoCapture,
+
+  kMaxValue = kVideoCapture
 };
 
 SERVICE_MANAGER_SANDBOX_EXPORT bool IsUnsandboxedSandboxType(

services/service_manager/sandbox/switches.cc

@@ -30,6 +30,7 @@ const char kPrintCompositorSandbox[] = "print_compositor";
 const char kAudioSandbox[] = "audio";
 const char kSharingServiceSandbox[] = "sharing_service";
 const char kSpeechRecognitionSandbox[] = "speech_recognition";
+const char kVideoCaptureSandbox[] = "video_capture";
 
 #if defined(OS_WIN)
 const char kPdfConversionSandbox[] = "pdf_conversion";

services/service_manager/sandbox/switches.h

@@ -29,6 +29,7 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPrintCompositorSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAudioSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSharingServiceSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSpeechRecognitionSandbox[];
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kVideoCaptureSandbox[];
 
 #if defined(OS_WIN)
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPdfConversionSandbox[];