[fuchsia] Remove web-context sandbox type.

The sandbox applied to each web instance is now defined by the Component manifest at //fuchsia/engine/web_instance.cmx. Bug: 1010222 Change-Id: I08cd0d08bd846f38ff4802f0693701afcaf3923c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2818025 Auto-Submit: Wez <wez@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: David Dorwin <ddorwin@chromium.org> Reviewed-by: Sergey Ulanov <sergeyu@chromium.org> Cr-Commit-Position: refs/heads/master@{#873882}
marcosholgado · Apr 19, 2021 · 7563e2a · 7563e2a
1 parent 5fdb5b4
commit 7563e2a
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 53 deletions.
diff --git a/content/browser/child_process_launcher_helper_fuchsia.cc b/content/browser/child_process_launcher_helper_fuchsia.cc
@@ -21,8 +21,6 @@ const char* ProcessNameFromSandboxType(
   switch (sandbox_type) {
     case sandbox::policy::SandboxType::kNoSandbox:
       return nullptr;
-    case sandbox::policy::SandboxType::kWebContext:
-      return "context";
     case sandbox::policy::SandboxType::kRenderer:
       return "renderer";
     case sandbox::policy::SandboxType::kUtility:

diff --git a/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc b/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc
@@ -55,31 +55,15 @@ enum SandboxFeature {
   // Read only access to /config/ssl, which contains root certs info.
   kProvideSslConfig = 1 << 2,
 
-  // Uses a service directory channel that is explicitly passed by the caller
-  // instead of automatically connecting to the service directory of the current
-  // process' namespace. Intended for use by SandboxType::kWebContext.
-  kUseServiceDirectoryOverride = 1 << 3,
-
   // Allows the process to use the ambient mark-vmo-as-executable capability.
-  kAmbientMarkVmoAsExecutable = 1 << 4,
+  kAmbientMarkVmoAsExecutable = 1 << 3,
 };
 
 struct SandboxConfig {
   base::span<const char* const> services;
   uint32_t features;
 };
 
-constexpr SandboxConfig kWebContextConfig = {
-    // Services directory is passed by calling SetServiceDirectory().
-    base::span<const char* const>(),
-
-    // Context processes only actually use the kUseServiceDirectoryOverride
-    // and kCloneJob |features| themselves. However, they must be granted
-    // all of the other features to delegate to child processes.
-    kCloneJob | kProvideVulkanResources | kProvideSslConfig |
-        kUseServiceDirectoryOverride,
-};
-
 constexpr SandboxConfig kGpuConfig = {
     base::make_span((const char* const[]){
         fuchsia::sysmem::Allocator::Name_,
@@ -132,8 +116,6 @@ const SandboxConfig* GetConfigForSandboxType(SandboxType type) {
       return &kNetworkConfig;
     case SandboxType::kRenderer:
       return &kRendererConfig;
-    case SandboxType::kWebContext:
-      return &kWebContextConfig;
     case SandboxType::kVideoCapture:
       return &kVideoCaptureConfig;
     // Remaining types receive no-access-to-anything.
@@ -166,12 +148,13 @@ SandboxPolicyFuchsia::SandboxPolicyFuchsia(SandboxType type) {
   } else {
     type_ = type;
   }
+
   // If we need to pass some services for the given sandbox type then create
   // |sandbox_directory_| and initialize it with the corresponding list of
   // services. FilteredServiceDirectory must be initialized on a thread that has
   // async_dispatcher.
   const SandboxConfig* config = GetConfigForSandboxType(type_);
-  if (config && !(config->features & kUseServiceDirectoryOverride)) {
+  if (config) {
     service_directory_task_runner_ = base::ThreadTaskRunnerHandle::Get();
     service_directory_ = std::make_unique<base::FilteredServiceDirectory>(
         base::ComponentContextForProcess()->svc().get());
@@ -201,14 +184,6 @@ SandboxPolicyFuchsia::~SandboxPolicyFuchsia() {
   }
 }
 
-void SandboxPolicyFuchsia::SetServiceDirectory(
-    fidl::InterfaceHandle<::fuchsia::io::Directory> service_directory_client) {
-  DCHECK(GetConfigForSandboxType(type_)->features &
-         kUseServiceDirectoryOverride);
-  DCHECK(!service_directory_client_);
-
-  service_directory_client_ = std::move(service_directory_client);
-}
 
 void SandboxPolicyFuchsia::UpdateLaunchOptionsForSandbox(
     base::LaunchOptions* options) {

diff --git a/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h b/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h
@@ -28,11 +28,8 @@ class SANDBOX_POLICY_EXPORT SandboxPolicyFuchsia {
   explicit SandboxPolicyFuchsia(SandboxType type);
   ~SandboxPolicyFuchsia();
 
-  // Sets the service directory to pass to the child process when launching it.
-  // This is only supported for SandboxType::kWebContext processes.  If this is
-  // not called for a WEB_CONTEXT process then it will receive no services.
-  void SetServiceDirectory(
-      fidl::InterfaceHandle<::fuchsia::io::Directory> service_directory_client);
+  SandboxPolicyFuchsia(const SandboxPolicyFuchsia&) = delete;
+  SandboxPolicyFuchsia& operator=(const SandboxPolicyFuchsia&) = delete;
 
   // Modifies the process launch |options| to achieve  the level of
   // isolation appropriate for current the sandbox type. The caller may then add
@@ -50,8 +47,6 @@ class SANDBOX_POLICY_EXPORT SandboxPolicyFuchsia {
 
   // Job in which the child process is launched.
   zx::job job_;
-
-  DISALLOW_COPY_AND_ASSIGN(SandboxPolicyFuchsia);
 };
 
 }  // namespace policy

diff --git a/sandbox/policy/sandbox_type.cc b/sandbox/policy/sandbox_type.cc
@@ -49,9 +49,6 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
     case SandboxType::kCdm:
     case SandboxType::kPrintBackend:
     case SandboxType::kPrintCompositor:
-#if defined(OS_FUCHSIA)
-    case SandboxType::kWebContext:
-#endif
 #if defined(OS_MAC)
     case SandboxType::kNaClLoader:
 #endif
@@ -136,10 +133,6 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line,
           switches::kServiceSandboxType,
           StringFromUtilitySandboxType(sandbox_type));
       break;
-#if defined(OS_FUCHSIA)
-    case SandboxType::kWebContext:
-      break;
-#endif  // defined(OS_FUCHSIA)
 #if defined(OS_MAC)
     case SandboxType::kNaClLoader:
       break;
@@ -267,9 +260,6 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) {
 #if defined(OS_MAC)
     case SandboxType::kNaClLoader:
 #endif  // defined(OS_MAC)
-#if defined(OS_FUCHSIA)
-    case SandboxType::kWebContext:
-#endif  // defined(OS_FUCHSIA)
 #if defined(OS_LINUX) || defined(OS_CHROMEOS)
     case SandboxType::kZygoteIntermediateSandbox:
 #endif

diff --git a/sandbox/policy/sandbox_type.h b/sandbox/policy/sandbox_type.h
@@ -40,12 +40,6 @@ enum class SandboxType {
   kMediaFoundationCdm,
 #endif
 
-#if defined(OS_FUCHSIA)
-  // Sandbox type for the web::Context process on Fuchsia. Functionally it's an
-  // equivalent of the browser process on other platforms.
-  kWebContext,
-#endif
-
   // Renderer or worker process. Most common case.
   kRenderer,