Mac Sandbox: Clean up forward declaration of internal sandbox functions.

chrome/common/sandbox_mac.mm

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/sandbox_mac.h"
 
 #include "base/debug_util.h"
 
 #import <Cocoa/Cocoa.h>
 extern "C" {
 #include <sandbox.h>
 }
 #include <sys/param.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/file_util.h"
-#include "base/hash_tables.h"
 #include "base/mac_util.h"
 #include "base/rand_util_c.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/mac/scoped_nsautorelease_pool.h"
 #include "base/string16.h"
 #include "base/string_util.h"
 #include "base/sys_info.h"
 #include "base/sys_string_conversions.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 34 matching lines @@
   }
 
   dst->append(append);
   return true;
 }
 
 }  // namespace
 
 namespace sandbox {
 
-// A map of variable name -> string to substitute in its place.
-typedef base::hash_map<std::string, sandbox::SandboxSubstring>
-    SandboxVariableSubstitions;
 
-// Escape |str_utf8| for use in a plain string variable in a sandbox
-// configuraton file.  On return |dst| is set to the utf-8 encoded quoted
-// output.
-// Returns: true on success, false otherwise.
-bool QuotePlainString(const std::string& str_utf8, std::string* dst) {
+// static
+bool Sandbox::QuotePlainString(const std::string& str_utf8, std::string* dst) {
   dst->clear();
 
   const char* src = str_utf8.c_str();
   int32_t length = str_utf8.length();
   int32_t position = 0;
   while (position < length) {
     UChar32 c;
     U8_NEXT(src, position, length, c);  // Macro increments |position|.
     DCHECK_GE(c, 0);
     if (c < 0)
@@ skipping 14 matching lines @@
     }
 
     // If we got here we know that the character in question is strictly
     // in the ASCII range so there's no need to do any kind of encoding
     // conversion.
     dst->push_back(static_cast<char>(c));
   }
   return true;
 }
 
-// Escape |str_utf8| for use in a regex literal in a sandbox
-// configuraton file.  On return |dst| is set to the utf-8 encoded quoted
-// output.
-//
-// The implementation of this function is based on empirical testing of the
-// OS X sandbox on 10.5.8 & 10.6.2 which is undocumented and subject to change.
-//
-// Note: If str_utf8 contains any characters < 32 || >125 then the function
-// fails and false is returned.
-//
-// Returns: true on success, false otherwise.
-bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst) {
+// static
+bool Sandbox::QuoteStringForRegex(const std::string& str_utf8,
+                                  std::string* dst) {
   // Characters with special meanings in sandbox profile syntax.
   const char regex_special_chars[] = {
     '\\',
 
     // Metacharacters
     '^',
     '.',
     '[',
     ']',
     '$',
@@ skipping 46 matching lines @@
   return true;
 }
 
 // Warm up System APIs that empirically need to be accessed before the Sandbox
 // is turned on.
 // This method is layed out in blocks, each one containing a separate function
 // that needs to be warmed up. The OS version on which we found the need to
 // enable the function is also noted.
 // This function is tested on the following OS versions:
 //     10.5.6, 10.6.0
-void SandboxWarmup() {
+
+// static
+void Sandbox::SandboxWarmup() {
   base::mac::ScopedNSAutoreleasePool scoped_pool;
 
   { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6
     base::mac::ScopedCFTypeRef<CGColorSpaceRef> rgb_colorspace(
         CGColorSpaceCreateWithName(kCGColorSpaceGenericRGB));
 
     // Allocate a 1x1 image.
     char data[4];
     base::mac::ScopedCFTypeRef<CGContextRef> context(
         CGBitmapContextCreate(data, 1, 1, 8, 1 * 4,
@@ skipping 35 matching lines @@
         CGImageSourceCreateWithData((CFDataRef)data,
         NULL));
     CGImageSourceGetStatus(img);
   }
 
   { // Native Client access to /dev/random.
     GetUrandomFD();
   }
 }
 
-// Build the Sandbox command necessary to allow access to a named directory
-// indicated by |allowed_dir|.
-// Returns a string containing the sandbox profile commands necessary to allow
-// access to that directory or nil if an error occured.
-
-// The header comment for PostProcessSandboxProfile() explains how variable
-// substition works in sandbox templates.
-// The returned string contains embedded variables. The function fills in
-// |substitutions| to contain the values for these variables.
-NSString* BuildAllowDirectoryAccessSandboxString(
+// static
+NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
     const FilePath& allowed_dir,
     SandboxVariableSubstitions* substitutions) {
   // A whitelist is used to determine which directories can be statted
   // This means that in the case of an /a/b/c/d/ directory, we may be able to
   // stat the leaf directory, but not it's parent.
   // The extension code in Chrome calls realpath() which fails if it can't call
   // stat() on one of the parent directories in the path.
   // The solution to this is to allow statting the parent directories themselves
   // but not their contents.  We need to add a separate rule for each parent
   // directory.
@@ skipping 40 matching lines @@
                        SandboxSubstring::REGEX);
   sandbox_command =
       [sandbox_command
           stringByAppendingString:@") (allow file-read* file-write*"
                                    " (regex #\"@ALLOWED_DIR@\") )"];
   return sandbox_command;
 }
 
 // Load the appropriate template for the given sandbox type.
 // Returns the template as an NSString or nil on error.
-NSString* LoadSandboxTemplate(SandboxProcessType sandbox_type) {
+NSString* LoadSandboxTemplate(Sandbox::SandboxProcessType sandbox_type) {
   // We use a custom sandbox definition file to lock things down as
   // tightly as possible.
   NSString* sandbox_config_filename = nil;
   switch (sandbox_type) {
-    case SANDBOX_TYPE_RENDERER:
+    case Sandbox::SANDBOX_TYPE_RENDERER:
       sandbox_config_filename = @"renderer";
       break;
-    case SANDBOX_TYPE_WORKER:
+    case Sandbox::SANDBOX_TYPE_WORKER:
       sandbox_config_filename = @"worker";
       break;
-    case SANDBOX_TYPE_UTILITY:
+    case Sandbox::SANDBOX_TYPE_UTILITY:
       sandbox_config_filename = @"utility";
       break;
-    case SANDBOX_TYPE_NACL_LOADER:
+    case Sandbox::SANDBOX_TYPE_NACL_LOADER:
       // The Native Client loader is used for safeguarding the user's
       // untrusted code within Native Client.
       sandbox_config_filename = @"nacl_loader";
       break;
     default:
       NOTREACHED();
       return nil;
   }
 
   // Read in the sandbox profile and the common prefix file.
@@ skipping 32 matching lines @@
 // Retrieve OS X version, output parameters are self explanatory.
 void GetOSVersion(bool* snow_leopard_or_higher) {
   int32 major_version, minor_version, bugfix_version;
   base::SysInfo::OperatingSystemVersionNumbers(&major_version,
                                                &minor_version,
                                                &bugfix_version);
   *snow_leopard_or_higher =
       (major_version > 10 || (major_version == 10 && minor_version >= 6));
 }
 
-// Assemble the final sandbox profile from a template by removing comments
-// and substituting variables.
-//
-// |sandbox_template| is a string which contains 2 entitites to operate on:
-//
-// - Comments - The sandbox comment syntax is used to make the OS sandbox
-// optionally ignore commands it doesn't support. e.g.
-// ;10.6_ONLY (foo)
-// Where (foo) is some command that is only supported on OS X 10.6.
-// The ;10.6_ONLY comment can then be removed from the template to enable (foo)
-// as appropriate.
-//
-// - Variables - denoted by @variable_name@ .  These are defined in the sandbox
-// template in cases where another string needs to be substituted at runtime.
-// e.g. @HOMEDIR_AS_LITERAL@ is substituted at runtime for the user's home
-// directory escaped appropriately for a (literal ...) expression.
-//
-// |comments_to_remove| is a list of NSStrings containing the comments to
-// remove.
-// |substitutions| is a hash of "variable name" -> "string to substitute".
-// Where the replacement string is tagged with information on how it is to be
-// escaped e.g. used as part of a regex string or a literal.
-//
-// On output |final_sandbox_profile_str| contains the final sandbox profile.
-// Returns true on success, false otherwise.
-bool PostProcessSandboxProfile(NSString* sandbox_template,
-                               NSArray* comments_to_remove,
-                               SandboxVariableSubstitions& substitutions,
-                               std::string *final_sandbox_profile_str) {
+// static
+bool Sandbox::PostProcessSandboxProfile(
+        NSString* sandbox_template,
+        NSArray* comments_to_remove,
+        SandboxVariableSubstitions& substitutions,
+        std::string *final_sandbox_profile_str) {
   NSString* sandbox_data = [[sandbox_template copy] autorelease];
 
   // Remove comments, e.g. ;10.6_ONLY .
   for (NSString* to_remove in comments_to_remove) {
     sandbox_data = [sandbox_data stringByReplacingOccurrencesOfString:to_remove
                                                            withString:@""];
   }
 
   // Split string on "@" characters.
   std::vector<std::string> raw_sandbox_pieces;
@@ skipping 42 matching lines @@
   for (std::vector<std::string>::iterator it = processed_sandbox_pieces.begin();
        it != processed_sandbox_pieces.end();
        ++it) {
     final_sandbox_profile_str->append(*it);
   }
   return true;
 }
 
 
 // Turns on the OS X sandbox for this process.
-bool EnableSandbox(SandboxProcessType sandbox_type,
-                   const FilePath& allowed_dir) {
+
+// static
+bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
+                            const FilePath& allowed_dir) {
   // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
   // passed in.
   if (sandbox_type != SANDBOX_TYPE_UTILITY) {
     DCHECK(allowed_dir.empty())
         << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
   }
 
   NSString* sandbox_data = LoadSandboxTemplate(sandbox_type);
   if (!sandbox_data) {
     return false;
@@ skipping 73 matching lines @@
   int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);
   bool success = (error == 0 && error_buff == NULL);
   LOG_IF(FATAL, !success) << "Failed to initialize sandbox: "
                           << error
                           << " "
                           << error_buff;
   sandbox_free_error(error_buff);
   return success;
 }
 
-void GetCanonicalSandboxPath(FilePath* path) {
+// static
+void Sandbox::GetCanonicalSandboxPath(FilePath* path) {
   int fd = HANDLE_EINTR(open(path->value().c_str(), O_RDONLY));
   if (fd < 0) {
     PLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                 << path->value();
     return;
   }
   file_util::ScopedFD file_closer(&fd);
 
   FilePath::CharType canonical_path[MAXPATHLEN];
   if (HANDLE_EINTR(fcntl(fd, F_GETPATH, canonical_path)) != 0) {
     PLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                 << path->value();
     return;
   }
 
   *path = FilePath(canonical_path);
 }
 
 }  // namespace sandbox