OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_mac.h" | 5 #include "content/common/sandbox_mac.h" |
6 | 6 |
7 #import <Cocoa/Cocoa.h> | 7 #import <Cocoa/Cocoa.h> |
8 #import <OpenGL/OpenGL.h> | 8 #import <OpenGL/OpenGL.h> |
9 | 9 |
10 extern "C" { | 10 extern "C" { |
(...skipping 366 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
377 if (!sandbox_data) { | 377 if (!sandbox_data) { |
378 LOG(FATAL) << "Failed to find the sandbox profile on disk " | 378 LOG(FATAL) << "Failed to find the sandbox profile on disk " |
379 << [sandbox_profile_path fileSystemRepresentation]; | 379 << [sandbox_profile_path fileSystemRepresentation]; |
380 return nil; | 380 return nil; |
381 } | 381 } |
382 | 382 |
383 // Prefix sandbox_data with common_sandbox_prefix_data. | 383 // Prefix sandbox_data with common_sandbox_prefix_data. |
384 return [common_sandbox_prefix_data stringByAppendingString:sandbox_data]; | 384 return [common_sandbox_prefix_data stringByAppendingString:sandbox_data]; |
385 } | 385 } |
386 | 386 |
387 // Retrieve OS X version, output parameters are self explanatory. | |
388 void GetOSVersion(bool* snow_leopard_or_higher, bool* lion_or_higher) { | |
389 int32 major_version, minor_version, bugfix_version; | |
390 base::SysInfo::OperatingSystemVersionNumbers(&major_version, | |
391 &minor_version, | |
392 &bugfix_version); | |
393 *snow_leopard_or_higher = | |
394 (major_version > 10 || (major_version == 10 && minor_version >= 6)); | |
395 *lion_or_higher = | |
396 (major_version > 10 || (major_version == 10 && minor_version >= 7)); | |
397 } | |
398 | |
399 // static | 387 // static |
400 bool Sandbox::PostProcessSandboxProfile( | 388 bool Sandbox::PostProcessSandboxProfile( |
401 NSString* sandbox_template, | 389 NSString* sandbox_template, |
402 NSArray* comments_to_remove, | 390 NSArray* comments_to_remove, |
403 SandboxVariableSubstitions& substitutions, | 391 SandboxVariableSubstitions& substitutions, |
404 std::string *final_sandbox_profile_str) { | 392 std::string *final_sandbox_profile_str) { |
405 NSString* sandbox_data = [[sandbox_template copy] autorelease]; | 393 NSString* sandbox_data = [[sandbox_template copy] autorelease]; |
406 | 394 |
407 // Remove comments, e.g. ;10.6_ONLY . | 395 // Remove comments, e.g. ;10.6_ONLY . |
408 for (NSString* to_remove in comments_to_remove) { | 396 for (NSString* to_remove in comments_to_remove) { |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
499 | 487 |
500 // Enable verbose logging if enabled on the command line. (See common.sb | 488 // Enable verbose logging if enabled on the command line. (See common.sb |
501 // for details). | 489 // for details). |
502 const CommandLine* command_line = CommandLine::ForCurrentProcess(); | 490 const CommandLine* command_line = CommandLine::ForCurrentProcess(); |
503 bool enable_logging = | 491 bool enable_logging = |
504 command_line->HasSwitch(switches::kEnableSandboxLogging);; | 492 command_line->HasSwitch(switches::kEnableSandboxLogging);; |
505 if (enable_logging) { | 493 if (enable_logging) { |
506 [tokens_to_remove addObject:@";ENABLE_LOGGING"]; | 494 [tokens_to_remove addObject:@";ENABLE_LOGGING"]; |
507 } | 495 } |
508 | 496 |
509 bool snow_leopard_or_higher; | 497 bool snow_leopard_or_later = base::mac::IsOSSnowLeopardOrLater(); |
510 bool lion_or_higher; | 498 bool lion_or_later = base::mac::IsOSLionOrLater(); |
511 GetOSVersion(&snow_leopard_or_higher, &lion_or_higher); | |
512 | 499 |
513 // Without this, the sandbox will print a message to the system log every | 500 // Without this, the sandbox will print a message to the system log every |
514 // time it denies a request. This floods the console with useless spew. The | 501 // time it denies a request. This floods the console with useless spew. The |
515 // (with no-log) syntax is only supported on 10.6+ | 502 // (with no-log) syntax is only supported on 10.6+ |
516 if (snow_leopard_or_higher && !enable_logging) { | 503 if (snow_leopard_or_later && !enable_logging) { |
517 substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = | 504 substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = |
518 SandboxSubstring("(with no-log)"); | 505 SandboxSubstring("(with no-log)"); |
519 } else { | 506 } else { |
520 substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = SandboxSubstring(""); | 507 substitutions["DISABLE_SANDBOX_DENIAL_LOGGING"] = SandboxSubstring(""); |
521 } | 508 } |
522 | 509 |
523 // Splice the path of the user's home directory into the sandbox profile | 510 // Splice the path of the user's home directory into the sandbox profile |
524 // (see renderer.sb for details). | 511 // (see renderer.sb for details). |
525 std::string home_dir = base::SysNSStringToUTF8(NSHomeDirectory()); | 512 std::string home_dir = base::SysNSStringToUTF8(NSHomeDirectory()); |
526 | 513 |
527 FilePath home_dir_canonical(home_dir); | 514 FilePath home_dir_canonical(home_dir); |
528 GetCanonicalSandboxPath(&home_dir_canonical); | 515 GetCanonicalSandboxPath(&home_dir_canonical); |
529 | 516 |
530 substitutions["USER_HOMEDIR_AS_LITERAL"] = | 517 substitutions["USER_HOMEDIR_AS_LITERAL"] = |
531 SandboxSubstring(home_dir_canonical.value(), | 518 SandboxSubstring(home_dir_canonical.value(), |
532 SandboxSubstring::LITERAL); | 519 SandboxSubstring::LITERAL); |
533 | 520 |
534 if (lion_or_higher) { | 521 if (lion_or_later) { |
535 // >=10.7 Sandbox rules. | 522 // >=10.7 Sandbox rules. |
536 [tokens_to_remove addObject:@";10.7_OR_ABOVE"]; | 523 [tokens_to_remove addObject:@";10.7_OR_ABOVE"]; |
537 } | 524 } |
538 | 525 |
539 if (snow_leopard_or_higher) { | 526 if (snow_leopard_or_later) { |
540 // >=10.6 Sandbox rules. | 527 // >=10.6 Sandbox rules. |
541 [tokens_to_remove addObject:@";10.6_OR_ABOVE"]; | 528 [tokens_to_remove addObject:@";10.6_OR_ABOVE"]; |
542 } else { | 529 } else { |
543 // Sandbox rules only for versions before 10.6. | 530 // Sandbox rules only for versions before 10.6. |
544 [tokens_to_remove addObject:@";BEFORE_10.6"]; | 531 [tokens_to_remove addObject:@";BEFORE_10.6"]; |
545 } | 532 } |
546 | 533 |
547 // All information needed to assemble the final profile has been collected. | 534 // All information needed to assemble the final profile has been collected. |
548 // Merge it all together. | 535 // Merge it all together. |
549 std::string final_sandbox_profile_str; | 536 std::string final_sandbox_profile_str; |
(...skipping 28 matching lines...) Expand all Loading... |
578 if (HANDLE_EINTR(fcntl(fd, F_GETPATH, canonical_path)) != 0) { | 565 if (HANDLE_EINTR(fcntl(fd, F_GETPATH, canonical_path)) != 0) { |
579 PLOG(FATAL) << "GetCanonicalSandboxPath() failed for: " | 566 PLOG(FATAL) << "GetCanonicalSandboxPath() failed for: " |
580 << path->value(); | 567 << path->value(); |
581 return; | 568 return; |
582 } | 569 } |
583 | 570 |
584 *path = FilePath(canonical_path); | 571 *path = FilePath(canonical_path); |
585 } | 572 } |
586 | 573 |
587 } // namespace sandbox | 574 } // namespace sandbox |
OLD | NEW |