mus: Don't allow SetEventObserver to monitor key events

components/mus/ws/window_tree.cc

Index: components/mus/ws/window_tree.cc
diff --git a/components/mus/ws/window_tree.cc b/components/mus/ws/window_tree.cc
index f276ad831a15eab4d987fbd50d1415b67d3bd9f3..03049e4236c6156a28a353a531309168bf603be3 100644
--- a/components/mus/ws/window_tree.cc
+++ b/components/mus/ws/window_tree.cc
@@ -1139,13 +1139,41 @@ void WindowTree::ReleaseCapture(uint32_t change_id, Id window_id) {
 
 void WindowTree::SetEventObserver(mojom::EventMatcherPtr matcher,
                                   uint32_t observer_id) {
-  if (!matcher.is_null() && observer_id != 0) {
-    event_observer_matcher_.reset(new EventMatcher(*matcher));
-    event_observer_id_ = observer_id;
-  } else {
+  if (matcher.is_null() || observer_id == 0) {
+    // Clear any existing event observer.
     event_observer_matcher_.reset();
     event_observer_id_ = 0;
+    return;
+  }
+
+  // Do not allow key events to be observed, as a compromised app could register
+  // itself as an event observer and spy on keystrokes to another app.
+  if (!matcher->type_matcher) {
+    DVLOG(1) << "SetEventObserver must specify an event type.";
+    return;
   }
+  const mojom::EventType event_type_whitelist[] = {
+      mojom::EventType::POINTER_CANCEL,
+      mojom::EventType::POINTER_DOWN,
+      mojom::EventType::POINTER_MOVE,
+      mojom::EventType::POINTER_UP,
+      mojom::EventType::MOUSE_EXIT,
+      mojom::EventType::WHEEL,
+  };
+  bool allowed = false;
+  for (mojom::EventType event_type : event_type_whitelist) {
+    if (matcher->type_matcher->type == event_type) {
+      allowed = true;
+      break;
+    }
+  }
+  if (!allowed) {
+    DVLOG(1) << "SetEventObserver event type not allowed";
+    return;
+  }
+
+  event_observer_matcher_.reset(new EventMatcher(*matcher));
+  event_observer_id_ = observer_id;
 }
 
 void WindowTree::SetWindowBounds(uint32_t change_id,