Add a user id parameter to connections

Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance. Note that the shell cares nothing about higher level semantic meaning/mapping of this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the target to be run as. This can either be a specific user, the root user, or "inherit" which means either their own identity or root, whichever is available in that order.

The application manager resolves "inherit" to the source identity or the root identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize()) the identity it is run as.

When a target application receives an inbound connection, the shell tells it (via AcceptConnection) the identity of the caller. This allows a service run as root to service connections from other users, and create facades scoped to that user.

Long term, only specific applications will be able to pass anything other than "inherit" as the user id. (e.g. the login app and the profile creator app). This isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Committed: https://crrev.com/a16b491f249de01d84114889f2ea3a8aea966413
Cr-Commit-Position: refs/heads/master@{#377239}

[Ben Goodger (Google), 2016-02-23 18:53:11]

Description was changed from

==========
uid

BUG=
==========

to

==========
uid

BUG=
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[Ben Goodger (Google), 2016-02-23 19:11:56]

Description was changed from

==========
uid

BUG=
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance.
Note that the shell cares nothing about higher level semantic meaning/mapping of
this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the
target to be run as. This can either be a specific user, the root user, or
"inherit" which means either their own identity or root, whichever is available
in that order.

The application manager resolves "inherit" to the source identity or the root
identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize())
the identity it is run as.

When a target application receives an inbound connection, the shell tells it
(via AcceptConnection) the identity of the caller. This allows a service run as
root to service connections from other users, and create facades scoped to that
user.

Long term, only specific applications will be able to pass anything other than
"inherit" as the user id. (e.g. the login app and the profile creator app). This
isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[Ben Goodger (Google), 2016-02-23 19:11:56]

ben@chromium.org changed reviewers:
+ sky@chromium.org

[Ben Goodger (Google), 2016-02-23 19:18:31]

The interesting bits are in mojo/shell, the rest is mostly just a signature
change to ShellClient::Initialize().

[sky, 2016-02-23 21:15:13]

LGTM with better comments about the ids, and run git cl format.

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/identity.cc
File mojo/shell/identity.cc (right):

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/identity.cc...
mojo/shell/identity.cc:56: return user_id_ != other.user_id_;
return user_id_ < other.user_id_;

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/public/inte...
File mojo/shell/public/interfaces/shell.mojom (right):

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/public/inte...
mojo/shell/public/interfaces/shell.mojom:58: uint32 user_id,
Document what user_id means and how it's used.

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/public/inte...
File mojo/shell/public/interfaces/shell_client.mojom (right):

https://codereview.chromium.org/1719193003/diff/120001/mojo/shell/public/inte...
mojo/shell/public/interfaces/shell_client.mojom:31: Initialize(Shell shell,
string url, uint32 id, uint32 user_id);
Please add more comments as to what the ids mean.

[Ben Goodger (Google), 2016-02-23 21:49:42]

The CQ bit was checked by ben@chromium.org

[Ben Goodger (Google), 2016-02-23 21:49:42]

The patchset sent to the CQ was uploaded after l-g-t-m from sky@chromium.org
Link to the patchset: https://codereview.chromium.org/1719193003/#ps140001
(title: ".")

[commit-bot: I haz the power, 2016-02-23 21:54:13]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1719193003/140001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1719193003/140001

[commit-bot: I haz the power, 2016-02-23 22:16:54]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-02-23 22:16:55]

Try jobs failed on following builders:
  cast_shell_android on tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/cast_shell_a...)
  cast_shell_linux on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
  chromeos_daisy_chromium_compile_only_ng on tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromeos_daisy_...)
  chromeos_x86-generic_chromium_compile_only_ng on tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromeos_x86-ge...)
  linux_chromium_compile_dbg_32_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  mac_chromium_compile_dbg_ng on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)
  mac_chromium_rel_ng on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)

[Ben Goodger (Google), 2016-02-23 22:21:37]

The CQ bit was checked by ben@chromium.org

[Ben Goodger (Google), 2016-02-23 22:21:37]

The patchset sent to the CQ was uploaded after l-g-t-m from sky@chromium.org
Link to the patchset: https://codereview.chromium.org/1719193003/#ps160001
(title: ".")

[commit-bot: I haz the power, 2016-02-23 22:22:54]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1719193003/160001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1719193003/160001

[commit-bot: I haz the power, 2016-02-23 22:41:45]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-02-23 22:41:47]

Try jobs failed on following builders:
  cast_shell_linux on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
  linux_chromium_gn_chromeos_rel on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  mac_chromium_compile_dbg_ng on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)
  mac_chromium_gn_rel on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_gn_r...)
  mac_chromium_rel_ng on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)

[Ben Goodger (Google), 2016-02-23 22:58:27]

The CQ bit was checked by ben@chromium.org

[Ben Goodger (Google), 2016-02-23 22:58:27]

The patchset sent to the CQ was uploaded after l-g-t-m from sky@chromium.org
Link to the patchset: https://codereview.chromium.org/1719193003/#ps180001
(title: ".")

[commit-bot: I haz the power, 2016-02-23 23:01:09]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1719193003/180001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1719193003/180001

[commit-bot: I haz the power, 2016-02-23 23:42:27]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-02-23 23:42:28]

Try jobs failed on following builders:
  cast_shell_linux on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)

[Ben Goodger (Google), 2016-02-24 04:09:56]

The CQ bit was checked by ben@chromium.org

[Ben Goodger (Google), 2016-02-24 04:09:59]

The patchset sent to the CQ was uploaded after l-g-t-m from sky@chromium.org
Link to the patchset: https://codereview.chromium.org/1719193003/#ps220001
(title: ".")

[commit-bot: I haz the power, 2016-02-24 04:11:28]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1719193003/220001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1719193003/220001

[commit-bot: I haz the power, 2016-02-24 05:13:36]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-02-24 05:13:37]

Try jobs failed on following builders:
  cast_shell_linux on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)

[Ben Goodger (Google), 2016-02-24 05:58:27]

The CQ bit was checked by ben@chromium.org

[Ben Goodger (Google), 2016-02-24 05:58:28]

The patchset sent to the CQ was uploaded after l-g-t-m from sky@chromium.org
Link to the patchset: https://codereview.chromium.org/1719193003/#ps240001
(title: ".")

[commit-bot: I haz the power, 2016-02-24 05:59:15]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1719193003/240001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1719193003/240001

[commit-bot: I haz the power, 2016-02-24 07:50:27]

Description was changed from

==========
Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance.
Note that the shell cares nothing about higher level semantic meaning/mapping of
this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the
target to be run as. This can either be a specific user, the root user, or
"inherit" which means either their own identity or root, whichever is available
in that order.

The application manager resolves "inherit" to the source identity or the root
identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize())
the identity it is run as.

When a target application receives an inbound connection, the shell tells it
(via AcceptConnection) the identity of the caller. This allows a service run as
root to service connections from other users, and create facades scoped to that
user.

Long term, only specific applications will be able to pass anything other than
"inherit" as the user id. (e.g. the login app and the profile creator app). This
isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance.
Note that the shell cares nothing about higher level semantic meaning/mapping of
this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the
target to be run as. This can either be a specific user, the root user, or
"inherit" which means either their own identity or root, whichever is available
in that order.

The application manager resolves "inherit" to the source identity or the root
identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize())
the identity it is run as.

When a target application receives an inbound connection, the shell tells it
(via AcceptConnection) the identity of the caller. This allows a service run as
root to service connections from other users, and create facades scoped to that
user.

Long term, only specific applications will be able to pass anything other than
"inherit" as the user id. (e.g. the login app and the profile creator app). This
isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[commit-bot: I haz the power, 2016-02-24 07:50:29]

Committed patchset #13 (id:240001)

[commit-bot: I haz the power, 2016-02-24 07:51:29]

Description was changed from

==========
Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance.
Note that the shell cares nothing about higher level semantic meaning/mapping of
this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the
target to be run as. This can either be a specific user, the root user, or
"inherit" which means either their own identity or root, whichever is available
in that order.

The application manager resolves "inherit" to the source identity or the root
identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize())
the identity it is run as.

When a target application receives an inbound connection, the shell tells it
(via AcceptConnection) the identity of the caller. This allows a service run as
root to service connections from other users, and create facades scoped to that
user.

Long term, only specific applications will be able to pass anything other than
"inherit" as the user id. (e.g. the login app and the profile creator app). This
isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Add a user id parameter to connections.

This is simply a uint32 that identifies the user running a particular instance.
Note that the shell cares nothing about higher level semantic meaning/mapping of
this identifier. That's for a user service to perform.

An application that connects to another specifies the user id they wish the
target to be run as. This can either be a specific user, the root user, or
"inherit" which means either their own identity or root, whichever is available
in that order.

The application manager resolves "inherit" to the source identity or the root
identity, and initializes & completes the connection.

When a target application is initialized, the shell tells it (via Initialize())
the identity it is run as.

When a target application receives an inbound connection, the shell tells it
(via AcceptConnection) the identity of the caller. This allows a service run as
root to service connections from other users, and create facades scoped to that
user.

Long term, only specific applications will be able to pass anything other than
"inherit" as the user id. (e.g. the login app and the profile creator app). This
isn't done in this CL.

I need to add some tests for this, along with the rest of the shell stuff. TBD.

R=sky@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Committed: https://crrev.com/a16b491f249de01d84114889f2ea3a8aea966413
Cr-Commit-Position: refs/heads/master@{#377239}
==========

[commit-bot: I haz the power, 2016-02-24 07:51:30]

Patchset 13 (id:??) landed as
https://crrev.com/a16b491f249de01d84114889f2ea3a8aea966413
Cr-Commit-Position: refs/heads/master@{#377239}