assistant: Sandbox libassistant service

This patch creates a new utility sandbox type of libassistant to sandbox the Libassistant service. Bug: b/155328340 Test: manual Change-Id: Ib65ac7af93f5ee420909389aa03e5252f994782b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2799135 Commit-Queue: Tao Wu <wutao@chromium.org> Reviewed-by: Sam McNally <sammc@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Xiaohui Chen <xiaohuic@chromium.org> Cr-Commit-Position: refs/heads/master@{#876474}
marcosholgado · Apr 27, 2021 · 8c47751 · 8c47751
1 parent 99685c8
commit 8c47751
Show file tree

Hide file tree

Showing 36 changed files with 454 additions and 23 deletions.
diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
@@ -16,6 +16,7 @@ import("//build/config/ui.gni")
 import("//chrome/browser/buildflags.gni")
 import("//chrome/browser/downgrade/buildflags.gni")
 import("//chrome/common/features.gni")
+import("//chromeos/assistant/assistant.gni")
 import("//components/captive_portal/core/features.gni")
 import("//components/feed/features.gni")
 import("//components/nacl/features.gni")
@@ -2431,6 +2432,10 @@ static_library("browser") {
         "//chromeos/components/telemetry_extension_ui/mojom",
       ]
     }
+
+    if (enable_libassistant_sandbox) {
+      deps += [ "//chromeos/services/libassistant/public/mojom" ]
+    }
   }
   if (is_linux || is_chromeos) {
     deps += [ "//chrome/browser/error_reporting" ]

diff --git a/chrome/browser/chromeos/service_sandbox_type.h b/chrome/browser/chromeos/service_sandbox_type.h
@@ -5,6 +5,7 @@
 #ifndef CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
 #define CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
 
+#include "chromeos/assistant/buildflags.h"
 #include "content/public/browser/service_process_host.h"
 #include "sandbox/policy/sandbox_type.h"
 
@@ -42,4 +43,20 @@ content::GetServiceSandboxType<chromeos::tts::mojom::TtsService>() {
   return sandbox::policy::SandboxType::kTts;
 }
 
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+namespace chromeos {
+namespace libassistant {
+namespace mojom {
+class LibassistantService;
+}  // namespace mojom
+}  // namespace libassistant
+}  // namespace chromeos
+
+template <>
+inline sandbox::policy::SandboxType content::GetServiceSandboxType<
+    chromeos::libassistant::mojom::LibassistantService>() {
+  return sandbox::policy::SandboxType::kLibassistant;
+}
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+
 #endif  // CHROME_BROWSER_CHROMEOS_SERVICE_SANDBOX_TYPE_H_
diff --git a/chrome/browser/ui/ash/assistant/assistant_client_impl.cc b/chrome/browser/ui/ash/assistant/assistant_client_impl.cc
@@ -32,6 +32,11 @@
 #include "content/public/common/content_switches.h"
 #include "services/network/public/cpp/shared_url_loader_factory.h"
 
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#include "chrome/browser/chromeos/service_sandbox_type.h"
+#include "chromeos/services/libassistant/public/mojom/service.mojom.h"
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+
 AssistantClientImpl::AssistantClientImpl() {
   auto* session_manager = session_manager::SessionManager::Get();
   // AssistantClientImpl must be created before any user session is created.
@@ -162,6 +167,18 @@ void AssistantClientImpl::RequestNetworkConfig(
   ash::GetNetworkConfigService(std::move(receiver));
 }
 
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+void AssistantClientImpl::RequestLibassistantService(
+    mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
+        receiver) {
+  content::ServiceProcessHost::Launch<
+      chromeos::libassistant::mojom::LibassistantService>(
+      std::move(receiver), content::ServiceProcessHost::Options()
+                               .WithDisplayName("Libassistant Service")
+                               .Pass());
+}
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+
 void AssistantClientImpl::OnExtendedAccountInfoUpdated(
     const AccountInfo& info) {
   if (initialized_)

diff --git a/chrome/browser/ui/ash/assistant/assistant_client_impl.h b/chrome/browser/ui/ash/assistant/assistant_client_impl.h
@@ -13,6 +13,7 @@
 #include "base/macros.h"
 #include "base/scoped_observer.h"
 #include "chrome/browser/ui/ash/assistant/device_actions.h"
+#include "chromeos/assistant/buildflags.h"
 #include "chromeos/services/assistant/public/cpp/assistant_client.h"
 #include "chromeos/services/assistant/service.h"
 #include "components/session_manager/core/session_manager_observer.h"
@@ -78,6 +79,11 @@ class AssistantClientImpl : public ash::AssistantClient,
   void RequestNetworkConfig(
       mojo::PendingReceiver<chromeos::network_config::mojom::CrosNetworkConfig>
           receiver) override;
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+  void RequestLibassistantService(
+      mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
+          receiver) override;
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
 
  private:
   // signin::IdentityManager::Observer:

diff --git a/chrome/utility/BUILD.gn b/chrome/utility/BUILD.gn
@@ -176,6 +176,13 @@ static_library("utility") {
         "//chromeos/services/assistant/audio_decoder:lib",
         "//chromeos/services/assistant/public/mojom",
       ]
+
+      if (enable_libassistant_sandbox) {
+        deps += [
+          "//chromeos/services/libassistant",
+          "//chromeos/services/libassistant/public/mojom",
+        ]
+      }
     }
   }
 

diff --git a/chrome/utility/DEPS b/chrome/utility/DEPS
@@ -27,6 +27,7 @@ include_rules = [
   "+chromeos/services/assistant",
   "+chromeos/services/ime/ime_service.h",
   "+chromeos/services/ime/public/mojom",
+  "+chromeos/services/libassistant/libassistant_service.h",
   "+chromeos/services/nearby",
   "+chromeos/services/tts",
   "+components/crash/core/common/crash_keys.h",

diff --git a/chrome/utility/services.cc b/chrome/utility/services.cc
@@ -108,6 +108,10 @@
 
 #if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
 #include "chromeos/services/assistant/audio_decoder/assistant_audio_decoder_factory.h"  // nogncheck
+
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#include "chromeos/services/libassistant/libassistant_service.h"  // nogncheck
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
 #endif  // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)
 
@@ -293,8 +297,17 @@ auto RunAssistantAudioDecoder(
   return std::make_unique<chromeos::assistant::AssistantAudioDecoderFactory>(
       std::move(receiver));
 }
-#endif
-#endif
+
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+auto RunLibassistantService(
+    mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
+        receiver) {
+  return std::make_unique<chromeos::libassistant::LibassistantService>(
+      std::move(receiver));
+}
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#endif  // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
+#endif  // BUILDFLAG(IS_CHROMEOS_ASH)
 
 }  // namespace
 
@@ -374,8 +387,11 @@ void RegisterMainThreadServices(mojo::ServiceFactory& services) {
   services.Add(RunLocalSearchService);
 #if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
   services.Add(RunAssistantAudioDecoder);
-#endif
-#endif
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+  services.Add(RunLibassistantService);
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#endif  // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
+#endif  // BUILDFLAG(IS_CHROMEOS_ASH)
 }
 
 void RegisterIOThreadServices(mojo::ServiceFactory& services) {

diff --git a/chromeos/assistant/BUILD.gn b/chromeos/assistant/BUILD.gn
@@ -11,6 +11,7 @@ buildflag_header("buildflags") {
 
   flags = [
     "ENABLE_CROS_LIBASSISTANT=$enable_cros_libassistant",
+    "ENABLE_LIBASSISTANT_SANDBOX=$enable_cros_libassistant && $enable_libassistant_sandbox",
     "ENABLE_CROS_AMBIENT_MODE_BACKEND=$enable_cros_ambient_mode_backend",
   ]
 }
diff --git a/chromeos/assistant/assistant.gni b/chromeos/assistant/assistant.gni
@@ -5,6 +5,9 @@ declare_args() {
   # Enable assistant implementation based on libassistant.
   enable_cros_libassistant = is_chromeos_ash && is_chrome_branded
 
+  # Enable sandboxing LibAssistant service.
+  enable_libassistant_sandbox = false
+
   # Enable a fake microphone, which can replay audio files as microphone input.
   # See chromeos/assistant/tools/send-audio.sh
   enable_fake_assistant_microphone = false

diff --git a/chromeos/services/assistant/BUILD.gn b/chromeos/services/assistant/BUILD.gn
@@ -95,6 +95,10 @@ source_set("libassistant_service_host") {
 
   if (enable_cros_libassistant) {
     deps += [ "//chromeos/services/libassistant" ]
+
+    if (enable_libassistant_sandbox) {
+      deps += [ "//chromeos/services/assistant/public/cpp" ]
+    }
   }
 }
 

diff --git a/chromeos/services/assistant/libassistant_service_host_impl.cc b/chromeos/services/assistant/libassistant_service_host_impl.cc
@@ -11,32 +11,45 @@
 
 #if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
 #include "chromeos/services/libassistant/libassistant_service.h"
-#endif
+
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#include "chromeos/services/assistant/public/cpp/assistant_client.h"  // nogncheck
+#include "chromeos/services/libassistant/public/mojom/service.mojom-forward.h"  // nogncheck
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#endif  // BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
 
 namespace chromeos {
 namespace assistant {
 
 #if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
 
 LibassistantServiceHostImpl::LibassistantServiceHostImpl() {
+#if !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
   DETACH_FROM_SEQUENCE(sequence_checker_);
+#endif
 }
 
 LibassistantServiceHostImpl::~LibassistantServiceHostImpl() = default;
 
 void LibassistantServiceHostImpl::Launch(
     mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
         receiver) {
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+  AssistantClient::Get()->RequestLibassistantService(std::move(receiver));
+#else
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(!libassistant_service_);
   libassistant_service_ =
       std::make_unique<chromeos::libassistant::LibassistantService>(
           std::move(receiver));
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
 }
 
 void LibassistantServiceHostImpl::Stop() {
+#if !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   libassistant_service_ = nullptr;
+#endif
 }
 
 #else

diff --git a/chromeos/services/assistant/libassistant_service_host_impl.h b/chromeos/services/assistant/libassistant_service_host_impl.h
@@ -37,7 +37,8 @@ class LibassistantServiceHostImpl : public LibassistantServiceHost {
   void Stop() override;
 
  private:
-#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT)
+#if BUILDFLAG(ENABLE_CROS_LIBASSISTANT) && \
+    !BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
   SEQUENCE_CHECKER(sequence_checker_);
   std::unique_ptr<chromeos::libassistant::LibassistantService>
       libassistant_service_ GUARDED_BY_CONTEXT(sequence_checker_);

diff --git a/chromeos/services/assistant/proxy/assistant_proxy.cc b/chromeos/services/assistant/proxy/assistant_proxy.cc
@@ -55,6 +55,8 @@ void AssistantProxy::LaunchLibassistantServiceOnBackgroundThread(
 }
 
 void AssistantProxy::StopLibassistantService() {
+  libassistant_service_.reset();
+
   // |libassistant_service_| is launched on the background thread, so we have to
   // stop it there as well.
   background_task_runner()->PostTask(

diff --git a/chromeos/services/assistant/public/cpp/BUILD.gn b/chromeos/services/assistant/public/cpp/BUILD.gn
@@ -40,5 +40,8 @@ component("cpp") {
     "//ui/accessibility/mojom",
   ]
 
-  deps = [ "//components/prefs" ]
+  deps = [
+    "//chromeos/assistant:buildflags",
+    "//components/prefs",
+  ]
 }
diff --git a/chromeos/services/assistant/public/cpp/assistant_client.h b/chromeos/services/assistant/public/cpp/assistant_client.h
@@ -7,6 +7,7 @@
 
 #include "ash/public/mojom/assistant_volume_control.mojom.h"
 #include "base/component_export.h"
+#include "chromeos/assistant/buildflags.h"
 #include "chromeos/services/assistant/public/cpp/assistant_enums.h"
 #include "chromeos/services/assistant/public/mojom/assistant_audio_decoder.mojom.h"
 #include "chromeos/services/libassistant/public/cpp/assistant_notification.h"
@@ -18,6 +19,10 @@
 #include "services/media_session/public/mojom/audio_focus.mojom.h"
 #include "services/media_session/public/mojom/media_controller.mojom.h"
 
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+#include "chromeos/services/libassistant/public/mojom/service.mojom-forward.h"
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+
 namespace chromeos {
 namespace assistant {
 
@@ -74,6 +79,13 @@ class COMPONENT_EXPORT(ASSISTANT_SERVICE_PUBLIC) AssistantClient {
   virtual void RequestNetworkConfig(
       mojo::PendingReceiver<chromeos::network_config::mojom::CrosNetworkConfig>
           receiver) = 0;
+
+#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
+  // Requests a connection to Libassistant service interface via the browser.
+  virtual void RequestLibassistantService(
+      mojo::PendingReceiver<chromeos::libassistant::mojom::LibassistantService>
+          receiver) = 0;
+#endif  // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX)
 };
 
 }  // namespace assistant

diff --git a/chromeos/services/libassistant/BUILD.gn b/chromeos/services/libassistant/BUILD.gn
@@ -7,6 +7,19 @@ import("//chromeos/assistant/assistant.gni")
 
 assert(enable_cros_libassistant)
 
+component("constants") {
+  output_name = "libassistant_constants"
+  defines = [ "IS_LIBASSISTANT_CONSTANTS_IMPL" ]
+  deps = [
+    "//base",
+    "//build:branding_buildflags",
+  ]
+  sources = [
+    "constants.cc",
+    "constants.h",
+  ]
+}
+
 component("libassistant") {
   sources = [
     "libassistant_service.cc",
@@ -29,6 +42,20 @@ component("libassistant") {
   output_name = "lib_libassistant_service"
 }
 
+source_set("sandbox_hook") {
+  sources = [
+    "libassistant_sandbox_hook.cc",
+    "libassistant_sandbox_hook.h",
+  ]
+
+  deps = [
+    ":constants",
+    "//base",
+    "//sandbox/linux:sandbox_services",
+    "//sandbox/policy",
+  ]
+}
+
 source_set("internal") {
   visibility = [ ":*" ]
 
@@ -82,7 +109,9 @@ source_set("internal") {
 
   deps = [
     ":audio",
+    ":constants",
     "//build/util:webkit_version",
+    "//chromeos/assistant:buildflags",
     "//chromeos/assistant/internal",
     "//chromeos/assistant/internal:buildflags",
     "//chromeos/assistant/internal:libassistant",

diff --git a/chromeos/services/libassistant/DEPS b/chromeos/services/libassistant/DEPS
@@ -6,6 +6,9 @@ include_rules = [
   "+media/audio",
   "+media/base",
   "+media/mojo/mojom",
+  "+sandbox/linux/syscall_broker/broker_command.h",
+  "+sandbox/linux/syscall_broker/broker_file_permission.h",
+  "+sandbox/policy/linux/sandbox_linux.h",
   "+services/audio/public",
   "+services/device/public/mojom",
   "+services/media_session/public/mojom",

diff --git a/chromeos/services/libassistant/constants.cc b/chromeos/services/libassistant/constants.cc
@@ -0,0 +1,21 @@
+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromeos/services/libassistant/constants.h"
+
+#include "base/files/file_util.h"
+
+#define ASSISTANT_DIR_STRING "google-assistant-library"
+
+namespace chromeos {
+namespace libassistant {
+
+const base::FilePath::CharType kAssistantBaseDirPath[] =
+    FILE_PATH_LITERAL("/home/chronos/user/" ASSISTANT_DIR_STRING);
+
+const base::FilePath::CharType kAssistantTempBaseDirPath[] =
+    FILE_PATH_LITERAL("/tmp/" ASSISTANT_DIR_STRING);
+
+}  // namespace libassistant
+}  // namespace chromeos