Allow trusted brokers to restrict connections for spawned applications to whitelisted applications …

mojo/application/public/interfaces/shell.mojom

Index: mojo/application/public/interfaces/shell.mojom
diff --git a/mojo/application/public/interfaces/shell.mojom b/mojo/application/public/interfaces/shell.mojom
index 3e3cd373a1843989ee040efff85a063d517a91a0..d1d374ef372f960ca7c5fc48e8a0ebfa3a7f60d2 100644
--- a/mojo/application/public/interfaces/shell.mojom
+++ b/mojo/application/public/interfaces/shell.mojom
@@ -7,25 +7,30 @@ module mojo;
 import "mojo/application/public/interfaces/service_provider.mojom";
 import "network/public/interfaces/url_loader.mojom";
 
+struct CapabilityFilter {
+  map<string, array<string>> filter;
+};
+
 // An interface through which a Mojo application may communicate with the Mojo
 // system and request connections to other applications.
 interface Shell {
-  // Establishes a connection with another application (located at
-  // |request->url|) through which the calling application and the other
-  // application may request services from one another. |application_url| is a
-  // URLRequest in case this is called for an HTTP navigation, in which case
-  // HTTP specific information like POST data, referrer header etc... needed.
+  // Establishes a connection with another application ("target application")
+  // (located at |request->url|) through which the calling application and the
+  // target application may request services from one another.
+  // |application_url| is a URLRequest in case this is called for an HTTP
+  // navigation, in which case HTTP specific information like POST data,
+  // referrer header etc... needed.
   //
-  // If the calling application would like to request services from the other
+  // If the calling application would like to request services from the target
   // application, it should pass a valid interface request in the |services|
-  // parameter (i.e. one containing a valid message pipe endpoint). If the other
-  // application does not wish to offer services, it may either not bind an
-  // implementation to the interface request, or else bind an implementation
+  // parameter (i.e. one containing a valid message pipe endpoint). If the
+  // target application does not wish to offer services, it may either not bind
+  // an implementation to the interface request, or else bind an implementation
   // that will reject some or all service requests.
   //
-  // If the calling application would like to offer services to the other
+  // If the calling application would like to offer services to the target
   // application, it should pass a bound interface through the
-  // |exposed_services| parameter. The other application may then request
+  // |exposed_services| parameter. The target application may then request
   // services through that interface.
   //
   // At least one of |services| or |exposed_services| should be valid/bound in
@@ -35,9 +40,20 @@ interface Shell {
   // "mojo:{service}", it is up to the Mojo shell to select an appropriate
   // application for the service. Currently, the shell does this based on the
   // value of its --origin flag.
+  //
+  // |filter| is a whitelist of application URLs that the target application
+  // is permitted to connect to, and for each permitted application a
+  // corresponding set of services that may be exposed to the target
+  // application. The purpose of this parameter is to limit the target
+  // application's visibility of the full set of applications and services
+  // available to trusted applications. If this value is null, no filtering is
+  // specified and the target application can connect to all applications. If
+  // any application entry in the mapping presents an empty set of services,

[yzshen1, 2015/07/22 17:53:58]

I feel that it is possible that the trusted broker may allow an app A to connect
to another app B, but disallow B to expose any interface to A. (For example, A
exposes interfaces to B but not the other way around.)

In that case, it seems natural to pass {"B" -> *empty* or *null* Array} into 
ConnectToApplication when launching A, meaning *no* interface allowed.

I think we should have another way to express *all* allowed. Maybe we should use
an Array containing a "*"?

+  // that application may offer all its services to the target application.
   ConnectToApplication(URLRequest application_url,
                        ServiceProvider&? services,
-                       ServiceProvider? exposed_services);
+                       ServiceProvider? exposed_services,
+                       CapabilityFilter? filter);
 
   // When there are no more instantiated services in an application, it should
   // start its shutdown process by calling this method. Additionally, it should