Allow trusted brokers to restrict connections for spawned applications to whitelisted applications …

mojo/application/public/interfaces/shell.mojom

Index: mojo/application/public/interfaces/shell.mojom
diff --git a/mojo/application/public/interfaces/shell.mojom b/mojo/application/public/interfaces/shell.mojom
index 3e3cd373a1843989ee040efff85a063d517a91a0..6cb8d385f1c0d37e56125d46a47356c651b8c203 100644
--- a/mojo/application/public/interfaces/shell.mojom
+++ b/mojo/application/public/interfaces/shell.mojom
@@ -7,25 +7,39 @@ module mojo;
 import "mojo/application/public/interfaces/service_provider.mojom";
 import "network/public/interfaces/url_loader.mojom";
 
+// Specifies a whitelist of applications and services an application can connect
+// to. Connections to applications not explicitly specified here as a key are
+// rejected. Connections to services not specified in an application's allowed
+// interfaces value are not made.
+// A "*" value as the only key in an otherwise empty map means the application
+// may connect to any other application and potentially any service that is

[yzshen1, 2015/07/22 22:26:47]

Should it be {"*": [ "*" ]} to mean that it allows to connect to any application
and any service that is exposed?

{"*": []} seems natural to mean that the app is allowed to connect to any app
but cannot get any service from them. (For example, this app can connect to any
app and provide service for them, but doesn't require any service in return.)

+// exposed.
+// A "*" value as the only string in an otherwise empty array of interface names
+// means the application may connect to any service in that application.
+struct CapabilityFilter {
+  map<string, array<string>> filter;
+};
+
 // An interface through which a Mojo application may communicate with the Mojo
 // system and request connections to other applications.
 interface Shell {
-  // Establishes a connection with another application (located at
-  // |request->url|) through which the calling application and the other
-  // application may request services from one another. |application_url| is a
-  // URLRequest in case this is called for an HTTP navigation, in which case
-  // HTTP specific information like POST data, referrer header etc... needed.
+  // Establishes a connection with another application ("target application")
+  // (located at |request->url|) through which the calling application and the
+  // target application may request services from one another.
+  // |application_url| is a URLRequest in case this is called for an HTTP
+  // navigation, in which case HTTP specific information like POST data,
+  // referrer header etc... needed.
   //
-  // If the calling application would like to request services from the other
+  // If the calling application would like to request services from the target
   // application, it should pass a valid interface request in the |services|
-  // parameter (i.e. one containing a valid message pipe endpoint). If the other
-  // application does not wish to offer services, it may either not bind an
-  // implementation to the interface request, or else bind an implementation
+  // parameter (i.e. one containing a valid message pipe endpoint). If the
+  // target application does not wish to offer services, it may either not bind
+  // an implementation to the interface request, or else bind an implementation
   // that will reject some or all service requests.
   //
-  // If the calling application would like to offer services to the other
+  // If the calling application would like to offer services to the target
   // application, it should pass a bound interface through the
-  // |exposed_services| parameter. The other application may then request
+  // |exposed_services| parameter. The target application may then request
   // services through that interface.
   //
   // At least one of |services| or |exposed_services| should be valid/bound in
@@ -35,9 +49,16 @@ interface Shell {
   // "mojo:{service}", it is up to the Mojo shell to select an appropriate
   // application for the service. Currently, the shell does this based on the
   // value of its --origin flag.
+  //
+  // |filter| is a whitelist of application URLs and services that the target
+  // application is permitted to connect to. See documentation for
+  // CapabilityFilter above. Note also that this parameter may be NULL, which
+  // has the same meaning as allowing the target application to connect to
+  // any application and service.
   ConnectToApplication(URLRequest application_url,
                        ServiceProvider&? services,
-                       ServiceProvider? exposed_services);
+                       ServiceProvider? exposed_services,
+                       CapabilityFilter? filter);
 
   // When there are no more instantiated services in an application, it should
   // start its shutdown process by calling this method. Additionally, it should