blob: b91a7ff2e60407c8ea9bfa9801fe13c6e5a88c82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef COMPONENTS_EXO_SECURITY_DELEGATE_H_
#define COMPONENTS_EXO_SECURITY_DELEGATE_H_
#include <memory>
#include <string>
namespace aura {
class Window;
}
namespace exo {
// Defines the set of actions/associations which are needed to implement a
// per-product Exo server. Product here refrs to things like "Crostini", "ArcVM"
// and "Lacross", and distinguishes from wayland's notion of a client. Each
// product may have multiple clients associated with it.
//
// TODO(b/200896773): Flesh this class out once we're clear on what things
// should be secure.
class SecurityDelegate {
public:
// Get a SecurityDelegate instance with all of the defaults.
static std::unique_ptr<SecurityDelegate> GetDefaultSecurityDelegate();
virtual ~SecurityDelegate();
// The path of the wayland server will be determined (partially) by its
// security context. This process is documented in go/secure-exo-ids. All
// sockets for the same security context will be placed in a single directory,
// on ChromeOS that directory is "/run/wayland/<context>/". The intention is
// that systems that need access to the wayland socket will mount their
// security context's directory into their mount namespace, and not others'.
//
// The empty string refers to "no security context", only the default wayland
// server may use it, and it is an error to spawn a non-default server without
// a security context.
virtual std::string GetSecurityContext() const = 0;
// "Self-activation" is a security sensitive windowing operation that is a
// common paradigm in X11. The need to self-activate is controlled
// per-subsystem, i.e. a product like ARC++ knows that its windows should be
// able to self activate, whereas Crostini knows they usually shouldn't.
virtual bool CanSelfActivate(aura::Window* window) const;
// Called when a client made pointer lock request, defined in
// pointer-constraints-unstable-v1.xml extension protocol. True if the client
// can lock the location of the pointer and disable movement, or return false
// to reject the pointer lock request.
virtual bool CanLockPointer(aura::Window* window) const;
};
} // namespace exo
#endif // COMPONENTS_EXO_SECURITY_DELEGATE_H_
|
