Index: chrome/common/sandbox_mac.h |
diff --git a/chrome/common/sandbox_mac.h b/chrome/common/sandbox_mac.h |
index c747e20989574ee6176c053054750c919fc49bae..a8a55b0d2464774aa5f3acce6a8816fba40f1b12 100644 |
--- a/chrome/common/sandbox_mac.h |
+++ b/chrome/common/sandbox_mac.h |
@@ -5,14 +5,37 @@ |
#ifndef CHROME_COMMON_SANDBOX_MAC_H_ |
#define CHROME_COMMON_SANDBOX_MAC_H_ |
+#include "base/file_path.h" |
+ |
namespace sandbox { |
+enum SandboxProcessType { |
+ SANDBOX_TYPE_RENDERER, |
+ |
+ // Worker process has *everything* not needed for Cocoa locked down. |
+ SANDBOX_TYPE_WORKER, |
+ |
+ // Utility process is as restrictive as the worker process except full access |
+ // is allowed to one configurable directory. |
+ SANDBOX_TYPE_UTILITY, |
+}; |
+ |
// Warm up System APIs that empirically need to be accessed before the Sandbox |
// is turned on. |
void SandboxWarmup(); |
// Turns on the OS X sandbox for this process. |
-bool EnableSandbox(); |
+// |sandbox_type| - type of Sandbox to use. |
+// |allowed_dir| - directory to allow access to, currently the only sandbox |
+// profile that supports this is SANDBOX_TYPE_UTILITY . |
+// |
+// |allowed_dir| must be a "simple" string since it's placed as is in a regex |
+// i.e. it must not contain quotation characters, escaping or any characters |
+// that might have special meaning when blindly substituted into a regular |
+// expression - crbug.com/26492 . |
+// Returns true on success, false if an error occurred enabling the sandbox. |
+bool EnableSandbox(SandboxProcessType sandbox_type, |
+ const FilePath& allowed_dir); |
} // namespace sandbox |