assistant: Sandbox libassistant service
This patch creates a new utility sandbox type of libassistant to sandbox the Libassistant service. Bug: b/155328340 Test: manual Change-Id: Ib65ac7af93f5ee420909389aa03e5252f994782b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2799135 Commit-Queue: Tao Wu <wutao@chromium.org> Reviewed-by: Sam McNally <sammc@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Xiaohui Chen <xiaohuic@chromium.org> Cr-Commit-Position: refs/heads/master@{#876474}
This commit is contained in:
wutao
chrome
browser
utility
chromeos
assistant
services
content
sandbox/policy
@ -16,6 +16,7 @@ import("//build/config/ui.gni")
|
||||
import("//chrome/browser/buildflags.gni")
|
||||
import("//chrome/browser/downgrade/buildflags.gni")
|
||||
import("//chrome/common/features.gni")
|
||||
import("//chromeos/assistant/assistant.gni")
|
||||
import("//components/captive_portal/core/features.gni")
|
||||
import("//components/feed/features.gni")
|
||||
import("//components/nacl/features.gni")
|
||||
@ -2431,6 +2432,10 @@ static_library("browser") {
|
||||
"//chromeos/components/telemetry_extension_ui/mojom",
|
||||
]
|
||||
}
|
||||
|
||||
if (enable_libassistant_sandbox) {
|
||||
deps += [ "//chromeos/services/libassistant/public/mojom" ]
|
||||
}
|
||||
}
|
||||
if (is_linux || is_chromeos) {
|
||||
deps += [ "//chrome/browser/error_reporting" ]
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
#ifndef CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
|
||||
#define CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
|
||||
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#include "content/public/browser/service_process_host.h"
|
||||
#include "sandbox/policy/sandbox_type.h"
|
||||
|
||||
@ -42,4 +43,20 @@ content::GetServiceSandboxType<chromeos::tts::mojom::TtsService>() {
|
||||
return sandbox::policy::SandboxType::kTts;
|
||||
}
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
namespace chromeos {
|
||||
namespace libassistant {
|
||||
namespace mojom {
|
||||
class LibassistantService;
|
||||
} // namespace mojom
|
||||
} // namespace libassistant
|
||||
} // namespace chromeos
|
||||
|
||||
template <>
|
||||
inline sandbox::policy::SandboxType content::GetServiceSandboxType<
|
||||
chromeos::libassistant::mojom::LibassistantService>() {
|
||||
return sandbox::policy::SandboxType::kLibassistant;
|
||||
}
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
#endif // CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
|
||||
|
||||
@ -32,6 +32,11 @@
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "services/network/public/cpp/shared_url_loader_factory.h"
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "chrome/browser/chromeos/service_sandbox_type.h"
|
||||
#include "chromeos/services/libassistant/public/mojom/service.mojom.h"
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
AssistantClientImpl::AssistantClientImpl() {
|
||||
auto* session_manager = session_manager::SessionManager::Get();
|
||||
// AssistantClientImpl must be created before any user session is created.
|
||||
@ -162,6 +167,18 @@ void AssistantClientImpl::RequestNetworkConfig(
|
||||
ash::GetNetworkConfigService(std::move(receiver));
|
||||
}
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
void AssistantClientImpl::RequestLibassistantService(
|
||||
mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
|
||||
receiver) {
|
||||
content::ServiceProcessHost::Launch<
|
||||
chromeos::libassistant::mojom::LibassistantService>(
|
||||
std::move(receiver), content::ServiceProcessHost::Options()
|
||||
.WithDisplayName("Libassistant Service")
|
||||
.Pass());
|
||||
}
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
void AssistantClientImpl::OnExtendedAccountInfoUpdated(
|
||||
const AccountInfo& info) {
|
||||
if (initialized_)
|
||||
|
||||
@ -13,6 +13,7 @@
|
||||
#include "base/macros.h"
|
||||
#include "base/scoped_observer.h"
|
||||
#include "chrome/browser/ui/ash/assistant/device_actions.h"
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#include "chromeos/services/assistant/public/cpp/assistant_client.h"
|
||||
#include "chromeos/services/assistant/service.h"
|
||||
#include "components/session_manager/core/session_manager_observer.h"
|
||||
@ -78,6 +79,11 @@ class AssistantClientImpl : public ash::AssistantClient,
|
||||
void RequestNetworkConfig(
|
||||
mojo::PendingReceiver<chromeos::network_config::mojom::CrosNetworkConfig>
|
||||
receiver) override;
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
void RequestLibassistantService(
|
||||
mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
|
||||
receiver) override;
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
private:
|
||||
// signin::IdentityManager::Observer:
|
||||
|
||||
@ -176,6 +176,13 @@ static_library("utility") {
|
||||
"//chromeos/services/assistant/audio_decoder:lib",
|
||||
"//chromeos/services/assistant/public/mojom",
|
||||
]
|
||||
|
||||
if (enable_libassistant_sandbox) {
|
||||
deps += [
|
||||
"//chromeos/services/libassistant",
|
||||
"//chromeos/services/libassistant/public/mojom",
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -27,6 +27,7 @@ include_rules = [
|
||||
"+chromeos/services/assistant",
|
||||
"+chromeos/services/ime/ime_service.h",
|
||||
"+chromeos/services/ime/public/mojom",
|
||||
"+chromeos/services/libassistant/libassistant_service.h",
|
||||
"+chromeos/services/nearby",
|
||||
"+chromeos/services/tts",
|
||||
"+components/crash/core/common/crash_keys.h",
|
||||
|
||||
@ -108,6 +108,10 @@
|
||||
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#include "chromeos/services/assistant/audio_decoder/assistant_audio_decoder_factory.h" // nogncheck
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "chromeos/services/libassistant/libassistant_service.h" // nogncheck
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
@ -293,8 +297,17 @@ auto RunAssistantAudioDecoder(
|
||||
return std::make_unique<chromeos::assistant::AssistantAudioDecoderFactory>(
|
||||
std::move(receiver));
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
auto RunLibassistantService(
|
||||
mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
|
||||
receiver) {
|
||||
return std::make_unique<chromeos::libassistant::LibassistantService>(
|
||||
std::move(receiver));
|
||||
}
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
} // namespace
|
||||
|
||||
@ -374,8 +387,11 @@ void RegisterMainThreadServices(mojo::ServiceFactory& services) {
|
||||
services.Add(RunLocalSearchService);
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
services.Add(RunAssistantAudioDecoder);
|
||||
#endif
|
||||
#endif
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
services.Add(RunLibassistantService);
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
}
|
||||
|
||||
void RegisterIOThreadServices(mojo::ServiceFactory& services) {
|
||||
|
||||
@ -11,6 +11,7 @@ buildflag_header("buildflags") {
|
||||
|
||||
flags = [
|
||||
"ENABLE_CROS_LIBASSISTANT=$enable_cros_libassistant",
|
||||
"ENABLE_LIBASSISTANT_SANDBOX=$enable_cros_libassistant && $enable_libassistant_sandbox",
|
||||
"ENABLE_CROS_AMBIENT_MODE_BACKEND=$enable_cros_ambient_mode_backend",
|
||||
]
|
||||
}
|
||||
|
||||
@ -5,6 +5,9 @@ declare_args() {
|
||||
# Enable assistant implementation based on libassistant.
|
||||
enable_cros_libassistant = is_chromeos_ash && is_chrome_branded
|
||||
|
||||
# Enable sandboxing LibAssistant service.
|
||||
enable_libassistant_sandbox = false
|
||||
|
||||
# Enable a fake microphone, which can replay audio files as microphone input.
|
||||
# See chromeos/assistant/tools/send-audio.sh
|
||||
enable_fake_assistant_microphone = false
|
||||
|
||||
@ -95,6 +95,10 @@ source_set("libassistant_service_host") {
|
||||
|
||||
if (enable_cros_libassistant) {
|
||||
deps += [ "//chromeos/services/libassistant" ]
|
||||
|
||||
if (enable_libassistant_sandbox) {
|
||||
deps += [ "//chromeos/services/assistant/public/cpp" ]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -11,7 +11,12 @@
|
||||
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#include "chromeos/services/libassistant/libassistant_service.h"
|
||||
#endif
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "chromeos/services/assistant/public/cpp/assistant_client.h" // nogncheck
|
||||
#include "chromeos/services/libassistant/public/mojom/service.mojom-forward.h" // nogncheck
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
|
||||
namespace chromeos {
|
||||
namespace assistant {
|
||||
@ -19,7 +24,9 @@ namespace assistant {
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
|
||||
LibassistantServiceHostImpl::LibassistantServiceHostImpl() {
|
||||
#if !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
DETACH_FROM_SEQUENCE(sequence_checker_);
|
||||
#endif
|
||||
}
|
||||
|
||||
LibassistantServiceHostImpl::~LibassistantServiceHostImpl() = default;
|
||||
@ -27,16 +34,22 @@ LibassistantServiceHostImpl::~LibassistantServiceHostImpl() = default;
|
||||
void LibassistantServiceHostImpl::Launch(
|
||||
mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
|
||||
receiver) {
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
AssistantClient::Get()->RequestLibassistantService(std::move(receiver));
|
||||
#else
|
||||
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
|
||||
DCHECK(!libassistant_service_);
|
||||
libassistant_service_ =
|
||||
std::make_unique<chromeos::libassistant::LibassistantService>(
|
||||
std::move(receiver));
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
}
|
||||
|
||||
void LibassistantServiceHostImpl::Stop() {
|
||||
#if !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
|
||||
libassistant_service_ = nullptr;
|
||||
#endif
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
@ -37,7 +37,8 @@ class LibassistantServiceHostImpl : public LibassistantServiceHost {
|
||||
void Stop() override;
|
||||
|
||||
private:
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
|
||||
#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT) && \
|
||||
!BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
SEQUENCE_CHECKER(sequence_checker_);
|
||||
std::unique_ptr<chromeos::libassistant::LibassistantService>
|
||||
libassistant_service_ GUARDED_BY_CONTEXT(sequence_checker_);
|
||||
|
||||
@ -55,6 +55,8 @@ void AssistantProxy::LaunchLibassistantServiceOnBackgroundThread(
|
||||
}
|
||||
|
||||
void AssistantProxy::StopLibassistantService() {
|
||||
libassistant_service_.reset();
|
||||
|
||||
// |libassistant_service_| is launched on the background thread, so we have to
|
||||
// stop it there as well.
|
||||
background_task_runner()->PostTask(
|
||||
|
||||
@ -40,5 +40,8 @@ component("cpp") {
|
||||
"//ui/accessibility/mojom",
|
||||
]
|
||||
|
||||
deps = [ "//components/prefs" ]
|
||||
deps = [
|
||||
"//chromeos/assistant:buildflags",
|
||||
"//components/prefs",
|
||||
]
|
||||
}
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
|
||||
#include "ash/public/mojom/assistant_volume_control.mojom.h"
|
||||
#include "base/component_export.h"
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#include "chromeos/services/assistant/public/cpp/assistant_enums.h"
|
||||
#include "chromeos/services/assistant/public/mojom/assistant_audio_decoder.mojom.h"
|
||||
#include "chromeos/services/libassistant/public/cpp/assistant_notification.h"
|
||||
@ -18,6 +19,10 @@
|
||||
#include "services/media_session/public/mojom/audio_focus.mojom.h"
|
||||
#include "services/media_session/public/mojom/media_controller.mojom.h"
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "chromeos/services/libassistant/public/mojom/service.mojom-forward.h"
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
namespace chromeos {
|
||||
namespace assistant {
|
||||
|
||||
@ -74,6 +79,13 @@ class COMPONENT_EXPORT(ASSISTANT_SERVICE_PUBLIC) AssistantClient {
|
||||
virtual void RequestNetworkConfig(
|
||||
mojo::PendingReceiver<chromeos::network_config::mojom::CrosNetworkConfig>
|
||||
receiver) = 0;
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
// Requests a connection to Libassistant service interface via the browser.
|
||||
virtual void RequestLibassistantService(
|
||||
mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
|
||||
receiver) = 0;
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
};
|
||||
|
||||
} // namespace assistant
|
||||
|
||||
@ -7,6 +7,19 @@ import("//chromeos/assistant/assistant.gni")
|
||||
|
||||
assert(enable_cros_libassistant)
|
||||
|
||||
component("constants") {
|
||||
output_name = "libassistant_constants"
|
||||
defines = [ "IS_LIBASSISTANT_CONSTANTS_IMPL" ]
|
||||
deps = [
|
||||
"//base",
|
||||
"//build:branding_buildflags",
|
||||
]
|
||||
sources = [
|
||||
"constants.cc",
|
||||
"constants.h",
|
||||
]
|
||||
}
|
||||
|
||||
component("libassistant") {
|
||||
sources = [
|
||||
"libassistant_service.cc",
|
||||
@ -29,6 +42,20 @@ component("libassistant") {
|
||||
output_name = "lib_libassistant_service"
|
||||
}
|
||||
|
||||
source_set("sandbox_hook") {
|
||||
sources = [
|
||||
"libassistant_sandbox_hook.cc",
|
||||
"libassistant_sandbox_hook.h",
|
||||
]
|
||||
|
||||
deps = [
|
||||
":constants",
|
||||
"//base",
|
||||
"//sandbox/linux:sandbox_services",
|
||||
"//sandbox/policy",
|
||||
]
|
||||
}
|
||||
|
||||
source_set("internal") {
|
||||
visibility = [ ":*" ]
|
||||
|
||||
@ -82,7 +109,9 @@ source_set("internal") {
|
||||
|
||||
deps = [
|
||||
":audio",
|
||||
":constants",
|
||||
"//build/util:webkit_version",
|
||||
"//chromeos/assistant:buildflags",
|
||||
"//chromeos/assistant/internal",
|
||||
"//chromeos/assistant/internal:buildflags",
|
||||
"//chromeos/assistant/internal:libassistant",
|
||||
|
||||
@ -6,6 +6,9 @@ include_rules = [
|
||||
"+media/audio",
|
||||
"+media/base",
|
||||
"+media/mojo/mojom",
|
||||
"+sandbox/linux/syscall_broker/broker_command.h",
|
||||
"+sandbox/linux/syscall_broker/broker_file_permission.h",
|
||||
"+sandbox/policy/linux/sandbox_linux.h",
|
||||
"+services/audio/public",
|
||||
"+services/device/public/mojom",
|
||||
"+services/media_session/public/mojom",
|
||||
|
||||
21
chromeos/services/libassistant/constants.cc
Normal file
21
chromeos/services/libassistant/constants.cc
Normal file
@ -0,0 +1,21 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "chromeos/services/libassistant/constants.h"
|
||||
|
||||
#include "base/files/file_util.h"
|
||||
|
||||
#define ASSISTANT_DIR_STRING "google-assistant-library"
|
||||
|
||||
namespace chromeos {
|
||||
namespace libassistant {
|
||||
|
||||
const base::FilePath::CharType kAssistantBaseDirPath[] =
|
||||
FILE_PATH_LITERAL("/home/chronos/user/" ASSISTANT_DIR_STRING);
|
||||
|
||||
const base::FilePath::CharType kAssistantTempBaseDirPath[] =
|
||||
FILE_PATH_LITERAL("/tmp/" ASSISTANT_DIR_STRING);
|
||||
|
||||
} // namespace libassistant
|
||||
} // namespace chromeos
|
||||
25
chromeos/services/libassistant/constants.h
Normal file
25
chromeos/services/libassistant/constants.h
Normal file
@ -0,0 +1,25 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef CHROMEOS_SERVICES_LIBASSISTANT_CONSTANTS_H_
|
||||
#define CHROMEOS_SERVICES_LIBASSISTANT_CONSTANTS_H_
|
||||
|
||||
#include "base/component_export.h"
|
||||
#include "base/files/file_path.h"
|
||||
|
||||
namespace chromeos {
|
||||
namespace libassistant {
|
||||
|
||||
// A directory to save Assistant config files.
|
||||
COMPONENT_EXPORT(LIBASSISTANT_CONSTANTS)
|
||||
extern const base::FilePath::CharType kAssistantBaseDirPath[];
|
||||
|
||||
// A directory used in gLinux simulation.
|
||||
COMPONENT_EXPORT(LIBASSISTANT_CONSTANTS)
|
||||
extern const base::FilePath::CharType kAssistantTempBaseDirPath[];
|
||||
|
||||
} // namespace libassistant
|
||||
} // namespace chromeos
|
||||
|
||||
#endif // CHROMEOS_SERVICES_LIBASSISTANT_CONSTANTS_H_
|
||||
@ -37,16 +37,16 @@ bool FileProviderImpl::WriteFile(const std::string& path,
|
||||
|
||||
// Create a temp file.
|
||||
base::FilePath temp_file;
|
||||
if (!base::CreateTemporaryFileInDir(full_path.DirName(), &temp_file)) {
|
||||
auto fd = base::CreateAndOpenFdForTemporaryFileInDir(full_path.DirName(),
|
||||
&temp_file);
|
||||
if (!fd.is_valid())
|
||||
return false;
|
||||
}
|
||||
|
||||
// Write to the tmp file.
|
||||
const int size = data.size();
|
||||
int written_size = base::WriteFile(temp_file, data.data(), size);
|
||||
if (written_size != size) {
|
||||
const bool success =
|
||||
base::WriteFileDescriptor(fd.get(), data.data(), data.size());
|
||||
if (!success)
|
||||
return false;
|
||||
}
|
||||
|
||||
// Replace the current file with the temp file.
|
||||
if (!base::ReplaceFile(temp_file, full_path, nullptr)) {
|
||||
|
||||
73
chromeos/services/libassistant/libassistant_sandbox_hook.cc
Normal file
73
chromeos/services/libassistant/libassistant_sandbox_hook.cc
Normal file
@ -0,0 +1,73 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "chromeos/services/libassistant/libassistant_sandbox_hook.h"
|
||||
|
||||
#include "base/files/file_path.h"
|
||||
#include "base/files/file_util.h"
|
||||
#include "base/system/sys_info.h"
|
||||
#include "chromeos/services/libassistant/constants.h"
|
||||
#include "sandbox/linux/syscall_broker/broker_command.h"
|
||||
#include "sandbox/linux/syscall_broker/broker_file_permission.h"
|
||||
#include "sandbox/policy/linux/sandbox_linux.h"
|
||||
|
||||
using sandbox::syscall_broker::BrokerFilePermission;
|
||||
using sandbox::syscall_broker::MakeBrokerCommandSet;
|
||||
|
||||
namespace chromeos {
|
||||
namespace libassistant {
|
||||
|
||||
namespace {
|
||||
|
||||
sandbox::syscall_broker::BrokerCommandSet GetLibassistantBrokerCommandSet() {
|
||||
return MakeBrokerCommandSet({
|
||||
sandbox::syscall_broker::COMMAND_ACCESS,
|
||||
sandbox::syscall_broker::COMMAND_MKDIR,
|
||||
sandbox::syscall_broker::COMMAND_OPEN,
|
||||
sandbox::syscall_broker::COMMAND_RENAME,
|
||||
sandbox::syscall_broker::COMMAND_STAT,
|
||||
sandbox::syscall_broker::COMMAND_STAT64,
|
||||
});
|
||||
}
|
||||
|
||||
std::vector<BrokerFilePermission> GetLibassistantFilePermissions() {
|
||||
base::FilePath assistant_path;
|
||||
if (base::SysInfo::IsRunningOnChromeOS()) {
|
||||
assistant_path =
|
||||
base::FilePath(kAssistantBaseDirPath).AsEndingWithSeparator();
|
||||
} else {
|
||||
assistant_path =
|
||||
base::FilePath(kAssistantTempBaseDirPath).AsEndingWithSeparator();
|
||||
}
|
||||
CHECK(base::CreateDirectory(assistant_path));
|
||||
|
||||
// Save Libassistant logs.
|
||||
base::FilePath log_path =
|
||||
assistant_path.Append(FILE_PATH_LITERAL("log")).AsEndingWithSeparator();
|
||||
CHECK(base::CreateDirectory(log_path));
|
||||
|
||||
std::vector<BrokerFilePermission> permissions{
|
||||
// Required by Libassistant to generate random string.
|
||||
BrokerFilePermission::ReadOnly("/dev/urandom"),
|
||||
BrokerFilePermission::ReadWriteCreateRecursive(assistant_path.value()),
|
||||
};
|
||||
return permissions;
|
||||
}
|
||||
|
||||
} // namespace
|
||||
|
||||
bool LibassistantPreSandboxHook(
|
||||
sandbox::policy::SandboxLinux::Options options) {
|
||||
auto* instance = sandbox::policy::SandboxLinux::GetInstance();
|
||||
|
||||
instance->StartBrokerProcess(
|
||||
GetLibassistantBrokerCommandSet(), GetLibassistantFilePermissions(),
|
||||
sandbox::policy::SandboxLinux::PreSandboxHook(), options);
|
||||
|
||||
instance->EngageNamespaceSandboxIfPossible();
|
||||
return true;
|
||||
}
|
||||
|
||||
} // namespace libassistant
|
||||
} // namespace chromeos
|
||||
18
chromeos/services/libassistant/libassistant_sandbox_hook.h
Normal file
18
chromeos/services/libassistant/libassistant_sandbox_hook.h
Normal file
@ -0,0 +1,18 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef CHROMEOS_SERVICES_LIBASSISTANT_LIBASSISTANT_SANDBOX_HOOK_H_
|
||||
#define CHROMEOS_SERVICES_LIBASSISTANT_LIBASSISTANT_SANDBOX_HOOK_H_
|
||||
|
||||
#include "sandbox/policy/linux/sandbox_linux.h"
|
||||
|
||||
namespace chromeos {
|
||||
namespace libassistant {
|
||||
|
||||
bool LibassistantPreSandboxHook(sandbox::policy::SandboxLinux::Options options);
|
||||
|
||||
} // namespace libassistant
|
||||
} // namespace chromeos
|
||||
|
||||
#endif // CHROMEOS_SERVICES_LIBASSISTANT_LIBASSISTANT_SANDBOX_HOOK_H_
|
||||
@ -12,10 +12,12 @@
|
||||
#include "base/system/sys_info.h"
|
||||
#include "base/values.h"
|
||||
#include "build/util/webkit_version.h"
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#include "chromeos/assistant/internal/internal_constants.h"
|
||||
#include "chromeos/assistant/internal/util_headers.h"
|
||||
#include "chromeos/dbus/util/version_loader.h"
|
||||
#include "chromeos/services/assistant/public/cpp/features.h"
|
||||
#include "chromeos/services/libassistant/constants.h"
|
||||
|
||||
using chromeos::assistant::shared::ClientInteraction;
|
||||
using chromeos::assistant::shared::ClientOpResult;
|
||||
@ -49,15 +51,6 @@ void CreateUserAgent(std::string* user_agent) {
|
||||
base::StringAppendF(user_agent, " ARC/%s", arc_version.c_str());
|
||||
}
|
||||
|
||||
// Get the root path for assistant files.
|
||||
base::FilePath GetRootPath() {
|
||||
base::FilePath home_dir;
|
||||
CHECK(base::PathService::Get(base::DIR_HOME, &home_dir));
|
||||
// Ensures DIR_HOME is overridden after primary user sign-in.
|
||||
CHECK_NE(base::GetHomeDir(), home_dir);
|
||||
return home_dir;
|
||||
}
|
||||
|
||||
ProviderVerificationResult::VerificationStatus GetProviderVerificationStatus(
|
||||
AppStatus status) {
|
||||
switch (status) {
|
||||
@ -175,7 +168,10 @@ bool ShouldLogToFile() {
|
||||
} // namespace
|
||||
|
||||
base::FilePath GetBaseAssistantDir() {
|
||||
return GetRootPath().Append(FILE_PATH_LITERAL("google-assistant-library"));
|
||||
if (base::SysInfo::IsRunningOnChromeOS())
|
||||
return base::FilePath(FILE_PATH_LITERAL(kAssistantBaseDirPath));
|
||||
|
||||
return base::FilePath(FILE_PATH_LITERAL(kAssistantTempBaseDirPath));
|
||||
}
|
||||
|
||||
std::string CreateLibAssistantConfig(
|
||||
@ -221,9 +217,12 @@ std::string CreateLibAssistantConfig(
|
||||
if (ShouldPutLogsInHomeDirectory()) {
|
||||
base::FilePath log_path =
|
||||
GetBaseAssistantDir().Append(FILE_PATH_LITERAL("log"));
|
||||
#if !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
CHECK(base::CreateDirectory(log_path));
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
log_dir = log_path.value();
|
||||
}
|
||||
|
||||
logging.SetKey("directory", Value(log_dir));
|
||||
// Maximum disk space consumed by all log files. There are 5 rotating log
|
||||
// files on disk.
|
||||
|
||||
@ -15,6 +15,10 @@
|
||||
#include "content/common/zygote/zygote_handle_impl_linux.h"
|
||||
#endif
|
||||
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#endif
|
||||
|
||||
namespace content {
|
||||
|
||||
UtilitySandboxedProcessLauncherDelegate::
|
||||
@ -50,6 +54,9 @@ UtilitySandboxedProcessLauncherDelegate::
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kIme ||
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kTts ||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kLibassistant ||
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kAudio ||
|
||||
#if !defined(OS_MAC)
|
||||
@ -87,6 +94,9 @@ ZygoteHandle UtilitySandboxedProcessLauncherDelegate::GetZygote() {
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kIme ||
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kTts ||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kLibassistant ||
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kAudio ||
|
||||
sandbox_type_ == sandbox::policy::SandboxType::kPrintBackend ||
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
# found in the LICENSE file.
|
||||
|
||||
import("//build/config/chromeos/ui_mode.gni")
|
||||
import("//chromeos/assistant/assistant.gni")
|
||||
import("//device/vr/buildflags/buildflags.gni")
|
||||
import("//media/media_options.gni")
|
||||
|
||||
@ -77,6 +78,7 @@ source_set("utility") {
|
||||
|
||||
if (is_chromeos_ash) {
|
||||
deps += [
|
||||
"//chromeos/assistant:buildflags",
|
||||
"//chromeos/services/ime:sandbox_hook",
|
||||
"//chromeos/services/tts:sandbox_hook",
|
||||
]
|
||||
@ -89,6 +91,10 @@ source_set("utility") {
|
||||
]
|
||||
}
|
||||
|
||||
if (enable_libassistant_sandbox) {
|
||||
deps += [ "//chromeos/services/libassistant:sandbox_hook" ]
|
||||
}
|
||||
|
||||
# PAC execution is done in process on Android.
|
||||
if (!is_android) {
|
||||
deps += [ "//services/proxy_resolver:lib" ]
|
||||
|
||||
@ -3,7 +3,9 @@ include_rules = [
|
||||
"+content/child",
|
||||
"+content/public/utility",
|
||||
"+content/services",
|
||||
"+chromeos/assistant/buildflags.h",
|
||||
"+chromeos/services/ime",
|
||||
"+chromeos/services/libassistant",
|
||||
"+chromeos/services/tts",
|
||||
"+device/vr/buildflags",
|
||||
"+device/vr/public",
|
||||
|
||||
@ -37,8 +37,13 @@
|
||||
#endif
|
||||
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#include "chromeos/services/ime/ime_sandbox_hook.h"
|
||||
#include "chromeos/services/tts/tts_sandbox_hook.h"
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "chromeos/services/libassistant/libassistant_sandbox_hook.h" // nogncheck
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif
|
||||
|
||||
#if defined(OS_MAC)
|
||||
@ -109,6 +114,9 @@ int UtilityMain(const MainFunctionParams& parameters) {
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type == sandbox::policy::SandboxType::kIme ||
|
||||
sandbox_type == sandbox::policy::SandboxType::kTts ||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
sandbox_type == sandbox::policy::SandboxType::kLibassistant ||
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
sandbox_type == sandbox::policy::SandboxType::kPrintBackend ||
|
||||
sandbox_type == sandbox::policy::SandboxType::kAudio ||
|
||||
@ -128,6 +136,12 @@ int UtilityMain(const MainFunctionParams& parameters) {
|
||||
pre_sandbox_hook = base::BindOnce(&chromeos::ime::ImePreSandboxHook);
|
||||
else if (sandbox_type == sandbox::policy::SandboxType::kTts)
|
||||
pre_sandbox_hook = base::BindOnce(&chromeos::tts::TtsPreSandboxHook);
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
else if (sandbox_type == sandbox::policy::SandboxType::kLibassistant) {
|
||||
pre_sandbox_hook =
|
||||
base::BindOnce(&chromeos::libassistant::LibassistantPreSandboxHook);
|
||||
}
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
sandbox::policy::Sandbox::Initialize(
|
||||
|
||||
@ -6,6 +6,7 @@ import("//build/buildflag_header.gni")
|
||||
import("//build/config/chromecast_build.gni")
|
||||
import("//build/config/chromeos/ui_mode.gni")
|
||||
import("//build/config/sanitizers/sanitizers.gni")
|
||||
import("//chromeos/assistant/assistant.gni")
|
||||
import("//testing/test.gni")
|
||||
|
||||
component("policy") {
|
||||
@ -87,6 +88,14 @@ component("policy") {
|
||||
"linux/bpf_tts_policy_linux.cc",
|
||||
"linux/bpf_tts_policy_linux.h",
|
||||
]
|
||||
deps += [ "//chromeos/assistant:buildflags" ]
|
||||
|
||||
if (enable_libassistant_sandbox) {
|
||||
sources += [
|
||||
"linux/bpf_libassistant_policy_linux.cc",
|
||||
"linux/bpf_libassistant_policy_linux.h",
|
||||
]
|
||||
}
|
||||
}
|
||||
if (is_mac) {
|
||||
sources += [
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
include_rules = [
|
||||
"+chromeos/assistant/buildflags.h",
|
||||
"+sandbox/constants.h",
|
||||
"+sandbox",
|
||||
]
|
||||
|
||||
40
sandbox/policy/linux/bpf_libassistant_policy_linux.cc
Normal file
40
sandbox/policy/linux/bpf_libassistant_policy_linux.cc
Normal file
@ -0,0 +1,40 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "sandbox/policy/linux/bpf_libassistant_policy_linux.h"
|
||||
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
|
||||
#include "sandbox/linux/syscall_broker/broker_process.h"
|
||||
#include "sandbox/linux/system_headers/linux_syscalls.h"
|
||||
#include "sandbox/policy/linux/sandbox_linux.h"
|
||||
|
||||
using sandbox::bpf_dsl::Allow;
|
||||
using sandbox::bpf_dsl::ResultExpr;
|
||||
using sandbox::bpf_dsl::Trap;
|
||||
using sandbox::syscall_broker::BrokerProcess;
|
||||
|
||||
namespace sandbox {
|
||||
namespace policy {
|
||||
|
||||
LibassistantProcessPolicy::LibassistantProcessPolicy() = default;
|
||||
LibassistantProcessPolicy::~LibassistantProcessPolicy() = default;
|
||||
|
||||
ResultExpr LibassistantProcessPolicy::EvaluateSyscall(int sysno) const {
|
||||
#if defined(__NR_sched_setscheduler)
|
||||
if (sysno == __NR_sched_setscheduler)
|
||||
return Allow();
|
||||
#endif
|
||||
|
||||
auto* sandbox_linux = SandboxLinux::GetInstance();
|
||||
if (sandbox_linux->ShouldBrokerHandleSyscall(sysno))
|
||||
return sandbox_linux->HandleViaBroker();
|
||||
|
||||
return BPFBasePolicy::EvaluateSyscall(sysno);
|
||||
}
|
||||
|
||||
} // namespace policy
|
||||
} // namespace sandbox
|
||||
28
sandbox/policy/linux/bpf_libassistant_policy_linux.h
Normal file
28
sandbox/policy/linux/bpf_libassistant_policy_linux.h
Normal file
@ -0,0 +1,28 @@
|
||||
// Copyright 2021 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_
|
||||
#define SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_
|
||||
|
||||
#include "sandbox/policy/linux/bpf_base_policy_linux.h"
|
||||
|
||||
namespace sandbox {
|
||||
namespace policy {
|
||||
|
||||
// This policy can be used by Libassistant utility processes.
|
||||
class LibassistantProcessPolicy : public BPFBasePolicy {
|
||||
public:
|
||||
LibassistantProcessPolicy();
|
||||
LibassistantProcessPolicy(const LibassistantProcessPolicy&) = delete;
|
||||
LibassistantProcessPolicy& operator=(const LibassistantProcessPolicy&) =
|
||||
delete;
|
||||
~LibassistantProcessPolicy() override;
|
||||
|
||||
bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override;
|
||||
};
|
||||
|
||||
} // namespace policy
|
||||
} // namespace sandbox
|
||||
|
||||
#endif // SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_
|
||||
@ -58,6 +58,11 @@
|
||||
#include "sandbox/policy/features.h"
|
||||
#include "sandbox/policy/linux/bpf_ime_policy_linux.h"
|
||||
#include "sandbox/policy/linux/bpf_tts_policy_linux.h"
|
||||
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#include "sandbox/policy/linux/bpf_libassistant_policy_linux.h"
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
using sandbox::bpf_dsl::Allow;
|
||||
@ -191,6 +196,10 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
|
||||
return std::make_unique<ImeProcessPolicy>();
|
||||
case SandboxType::kTts:
|
||||
return std::make_unique<TtsProcessPolicy>();
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
case SandboxType::kLibassistant:
|
||||
return std::make_unique<LibassistantProcessPolicy>();
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
case SandboxType::kZygoteIntermediateSandbox:
|
||||
case SandboxType::kNoSandbox:
|
||||
@ -235,6 +244,9 @@ void SandboxSeccompBPF::RunSandboxSanityChecks(
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
case SandboxType::kIme:
|
||||
case SandboxType::kTts:
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
case SandboxType::kLibassistant:
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
case SandboxType::kAudio:
|
||||
case SandboxType::kSharingService:
|
||||
|
||||
@ -55,6 +55,9 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
case SandboxType::kIme:
|
||||
case SandboxType::kTts:
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
case SandboxType::kLibassistant:
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif
|
||||
#if !defined(OS_MAC)
|
||||
case SandboxType::kSharingService:
|
||||
@ -121,6 +124,9 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line,
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
case SandboxType::kIme:
|
||||
case SandboxType::kTts:
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
case SandboxType::kLibassistant:
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
#if !defined(OS_MAC)
|
||||
case SandboxType::kSharingService:
|
||||
@ -250,6 +256,10 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) {
|
||||
return switches::kImeSandbox;
|
||||
case SandboxType::kTts:
|
||||
return switches::kTtsSandbox;
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
case SandboxType::kLibassistant:
|
||||
return switches::kLibassistantSandbox;
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
// The following are not utility processes so should not occur.
|
||||
case SandboxType::kRenderer:
|
||||
@ -311,6 +321,10 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) {
|
||||
return SandboxType::kIme;
|
||||
if (sandbox_string == switches::kTtsSandbox)
|
||||
return SandboxType::kTts;
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
if (sandbox_string == switches::kLibassistantSandbox)
|
||||
return SandboxType::kLibassistant;
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
return SandboxType::kUtility;
|
||||
}
|
||||
|
||||
@ -12,6 +12,10 @@
|
||||
#include "build/chromeos_buildflags.h"
|
||||
#include "sandbox/policy/export.h"
|
||||
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
namespace sandbox {
|
||||
namespace policy {
|
||||
|
||||
@ -77,6 +81,11 @@ enum class SandboxType {
|
||||
kIme,
|
||||
// Text-to-speech.
|
||||
kTts,
|
||||
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
kLibassistant,
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
#if defined(OS_LINUX) || defined(OS_CHROMEOS)
|
||||
|
||||
@ -46,6 +46,9 @@ const char kMediaFoundationCdmSandbox[] = "mf_cdm";
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
const char kImeSandbox[] = "ime";
|
||||
const char kTtsSandbox[] = "tts";
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
const char kLibassistantSandbox[] = "libassistant";
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
// Flags owned by the service manager sandbox.
|
||||
|
||||
@ -9,6 +9,10 @@
|
||||
#include "build/chromeos_buildflags.h"
|
||||
#include "sandbox/policy/export.h"
|
||||
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
#include "chromeos/assistant/buildflags.h"
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
namespace sandbox {
|
||||
namespace policy {
|
||||
namespace switches {
|
||||
@ -43,6 +47,9 @@ SANDBOX_POLICY_EXPORT extern const char kMediaFoundationCdmSandbox[];
|
||||
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
SANDBOX_POLICY_EXPORT extern const char kImeSandbox[];
|
||||
SANDBOX_POLICY_EXPORT extern const char kTtsSandbox[];
|
||||
#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
SANDBOX_POLICY_EXPORT extern const char kLibassistantSandbox[];
|
||||
#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
|
||||
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
||||
|
||||
// Flags owned by the service manager sandbox.
|
||||
|
||||
Reference in New Issue
Block a user