1. Create a new sandbox type which allows access to Unix sockets in the Mac...

chrome/common/sandbox_init_wrapper_mac.cc

Index: chrome/common/sandbox_init_wrapper_mac.cc
===================================================================
--- chrome/common/sandbox_init_wrapper_mac.cc	(revision 43339)
+++ chrome/common/sandbox_init_wrapper_mac.cc	(working copy)
@@ -20,8 +20,17 @@
     // Browser process isn't sandboxed.
     return true;
   } else if (process_type == switches::kRendererProcess) {
-    // Renderer process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
+    // Renderer process sandbox. If --internal_nacl is present then use the
+    // version of the renderer sandbox which allows Native Client to use Unix
+    // sockets.
+    // TODO(msneck): Remove the use of Unix sockets from Native Client and
+    // then get rid of the SANDBOX_TYPE_NACL_PLUGIN enum.
+    // See http://code.google.com/p/nativeclient/issues/detail?id=344
+    if (command_line.HasSwitch(switches::kInternalNaCl)) {
+      sandbox_process_type = sandbox::SANDBOX_TYPE_NACL_PLUGIN;
+    } else {
+      sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
+    }
   } else if (process_type == switches::kExtensionProcess) {
     // Extension processes are just renderers [they use RenderMain()] with a
     // different set of command line flags.
@@ -39,8 +48,10 @@
   } else if (process_type == switches::kWorkerProcess) {
     // Worker process sandbox.
     sandbox_process_type = sandbox::SANDBOX_TYPE_WORKER;
-  } else if ((process_type == switches::kNaClLoaderProcess) ||
-             (process_type == switches::kPluginProcess) ||
+  } else if (process_type == switches::kNaClLoaderProcess) {
+    // Native Client sel_ldr (user untrusted code) sandbox.
+    sandbox_process_type = sandbox::SANDBOX_TYPE_NACL_LOADER;
+  } else if ((process_type == switches::kPluginProcess) ||
              (process_type == switches::kProfileImportProcess) ||
              (process_type == switches::kGpuProcess)) {
     return true;