Consider deprecating "restricted mode" from `mozc_server` and `mozc_renderer` on Windows

[yukawa]

Description

As Mozc no longer supports Windows 7 and prior OSes where nested Win32 Jobs were not supported, chances are quite high that we can remove so-called Restricted Mode from mozc_server and mozc_renderer. Let's see if we can actually do that.

mozc/src/server/mozc_server.cc

Line 52 in 2efeece

ABSL_DECLARE_FLAG(bool, restricted); // in SessionHandler

mozc/src/renderer/renderer_server.cc

Lines 61 to 65 in 2efeece

	// By default, mozc_renderer quits when user-input continues to be
	// idle for 10min.
	ABSL_FLAG(int32_t, timeout, 10 * 60, "timeout of candidate server (sec)");
	ABSL_FLAG(bool, restricted, false,
	"launch candidates server with restricted mode");

Background

When Mozc's sandbox architecture was originally designed for Windows, one of the challenges was that nested Win32 Jobs were not supported, while Mozc wanted to create a Job when launching mozc_server and mozc_renderer so that those two processes could run in limited resource accesses. The solution we chose was to introduce a special mode called "Restricted Mode" where those processes run without Win32 Job sandboxing only for a limited time duration (e.g. 60 sec). Restricted mode is used only when all the following conditions are met:

• The server process (mozc_server or mozc_renderer) is not yet running.
• The client process (e.g. notepad.exe) is already running in a Win32 Job without JOB_OBJECT_LIMIT_BREAKAWAY_OK nor JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK.

mozc/src/client/server_launcher.cc

Lines 118 to 134 in 2efeece

	#ifdef _WIN32
	// When mozc is not used as a default IME and some applications (like notepad)
	// are registered in "Start up", mozc_server may not be launched successfully.
	// This is because the Explorer launches start-up processes inside a group job
	// and the process inside a job cannot make our sandboxed child processes.
	// The group job is unregistered after 60 secs (default).
	//
	// Here we relax the sandbox restriction if process is in a job.
	// In order to keep security, the mozc_server is launched
	// with restricted mode.
	const bool process_in_job = RunLevel::IsProcessInJob();
	if (process_in_job || restricted_) {
	LOG(WARNING) << "Parent process is in job. start with restricted mode";
	arg += "--restricted";
	}
	#endif // _WIN32

Now that nested Win32 Jobs have been fully supported since Windows 8, it's highly likely the above special mode is no longer necessary.

Steps to reproduce

TBD.

Expected behavior

TBD.

Actual behavior

TBD.

Version or commit-id

2efeece

Environment

• OS: Windows 24H2