Load mac sandbox definitions from resources instead of the bundle.

content/common/sandbox_mac.mm

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_mac.h"
 
 #import <Cocoa/Cocoa.h>
 
 extern "C" {
 #include <sandbox.h>
 }
 #include <signal.h>
 #include <sys/param.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/file_util.h"
 #include "base/mac/mac_util.h"
 #include "base/rand_util_c.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/mac/scoped_nsautorelease_pool.h"
 #include "base/string16.h"
+#include "base/string_piece.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/sys_info.h"
 #include "base/sys_string_conversions.h"
 #include "base/utf_string_conversions.h"
 #include "content/common/chrome_application_mac.h"
+#include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
+#include "grit/content_resources.h"
 #include "unicode/uchar.h"
 #include "ui/gfx/gl/gl_surface.h"
 
 namespace {
 
+struct SandboxProcessTypePolicyMapping {
+  content::SandboxProcessType sandbox_process_type;
+  int sandbox_policy_resource_id;
+};
+
+// Mapping from sandbox process types to resource IDs defining the sandbox
+// policy for all process types known to content.
+SandboxProcessTypePolicyMapping kDefaultSandboxProcessTypePolicyMapping[] = {
+  { content::SANDBOX_TYPE_RENDERER, IDR_RENDERER_SANDBOX_POLICY },
+  { content::SANDBOX_TYPE_WORKER,   IDR_WORKER_SANDBOX_POLICY },
+  { content::SANDBOX_TYPE_UTILITY,  IDR_UTILITY_SANDBOX_POLICY },
+  { content::SANDBOX_TYPE_GPU,      IDR_GPU_SANDBOX_POLICY },
+  { content::SANDBOX_TYPE_PPAPI,    IDR_PPAPI_SANDBOX_POLICY },
+};
+
+COMPILE_ASSERT(arraysize(kDefaultSandboxProcessTypePolicyMapping) == \
+               size_t(content::SANDBOX_AFTER_TYPE_LAST_TYPE), \
+               sandbox_process_type_policy_map_incorrect);
+
 // Try to escape |c| as a "SingleEscapeCharacter" (\n, etc).  If successful,
 // returns true and appends the escape sequence to |dst|.
 bool EscapeSingleChar(char c, std::string* dst) {
   const char *append = NULL;
   switch (c) {
     case '\b':
       append = "\\b";
       break;
     case '\f':
       append = "\\f";
@@ skipping 137 matching lines @@
 
 // Warm up System APIs that empirically need to be accessed before the Sandbox
 // is turned on.
 // This method is layed out in blocks, each one containing a separate function
 // that needs to be warmed up. The OS version on which we found the need to
 // enable the function is also noted.
 // This function is tested on the following OS versions:
 //     10.5.6, 10.6.0
 
 // static
-void Sandbox::SandboxWarmup(SandboxProcessType sandbox_type) {
+void Sandbox::SandboxWarmup(int sandbox_type) {
   base::mac::ScopedNSAutoreleasePool scoped_pool;
 
   { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6
     base::mac::ScopedCFTypeRef<CGColorSpaceRef> rgb_colorspace(
         CGColorSpaceCreateWithName(kCGColorSpaceGenericRGB));
 
     // Allocate a 1x1 image.
     char data[4];
     base::mac::ScopedCFTypeRef<CGContextRef> context(
         CGBitmapContextCreate(data, 1, 1, 8, 1 * 4,
@@ skipping 36 matching lines @@
         NULL));
     CGImageSourceGetStatus(img);
   }
 
   {
     // Allow access to /dev/urandom.
     GetUrandomFD();
   }
 
   // Process-type dependent warm-up.
-  switch (sandbox_type) {
-    case SANDBOX_TYPE_GPU:
-      {
-         // Preload either the desktop GL or the osmesa so, depending on the
-         // --use-gl flag.
-         gfx::GLSurface::InitializeOneOff();
-      }
-      break;
-
-    default:
-      // To shut up a gcc warning.
-      break;
+  if (sandbox_type == content::SANDBOX_TYPE_GPU) {
+     // Preload either the desktop GL or the osmesa so, depending on the
+     // --use-gl flag.
+     gfx::GLSurface::InitializeOneOff();
   }
 }
 
 // static
 NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
     const FilePath& allowed_dir,
     SandboxVariableSubstitions* substitutions) {
   // A whitelist is used to determine which directories can be statted
   // This means that in the case of an /a/b/c/d/ directory, we may be able to
   // stat the leaf directory, but not it's parent.
@@ skipping 45 matching lines @@
                        SandboxSubstring::REGEX);
   sandbox_command =
       [sandbox_command
           stringByAppendingString:@") (allow file-read* file-write*"
                                    " (regex #\"@ALLOWED_DIR@\") )"];
   return sandbox_command;
 }
 
 // Load the appropriate template for the given sandbox type.
 // Returns the template as an NSString or nil on error.
-NSString* LoadSandboxTemplate(Sandbox::SandboxProcessType sandbox_type) {
-  // We use a custom sandbox definition file to lock things down as
-  // tightly as possible.
-  NSString* sandbox_config_filename = nil;
-  switch (sandbox_type) {
-    case Sandbox::SANDBOX_TYPE_RENDERER:
-      sandbox_config_filename = @"renderer";
+NSString* LoadSandboxTemplate(int sandbox_type) {

[jeremy, 2011/11/23 07:02:17]

Can you add a CHECK() here or in an appropriate place to make sure we aren't
passing in bogus values for sandbox_type.

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

Done.

+  // We use a custom sandbox definition to lock things down as tightly as
+  // possible.
+  int sandbox_policy_resource_id = -1;
+
+  for (size_t i = 0;

[jeremy, 2011/11/23 07:02:17]

// Find resource id for sandbox profile to use for the specific sandbox type.

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

Done.

+       i < arraysize(kDefaultSandboxProcessTypePolicyMapping);
+       ++i) {
+    if (kDefaultSandboxProcessTypePolicyMapping[i].sandbox_process_type ==
+        sandbox_type) {
+      sandbox_policy_resource_id =
+          kDefaultSandboxProcessTypePolicyMapping[i].sandbox_policy_resource_id;
       break;
-    case Sandbox::SANDBOX_TYPE_WORKER:
-      sandbox_config_filename = @"worker";
-      break;
-    case Sandbox::SANDBOX_TYPE_UTILITY:
-      sandbox_config_filename = @"utility";
-      break;
-    case Sandbox::SANDBOX_TYPE_NACL_LOADER:
-      // The Native Client loader is used for safeguarding the user's
-      // untrusted code within Native Client.
-      sandbox_config_filename = @"nacl_loader";
-      break;
-    case Sandbox::SANDBOX_TYPE_GPU:
-      sandbox_config_filename = @"gpu";
-      break;
-    case Sandbox::SANDBOX_TYPE_PPAPI:
-      sandbox_config_filename = @"ppapi";
-      break;
-    default:
-      NOTREACHED();
-      return nil;
+    }
   }
-
-  // Read in the sandbox profile and the common prefix file.
-  NSString* common_sandbox_prefix_path =
-      [base::mac::MainAppBundle() pathForResource:@"common"
-                                          ofType:@"sb"];
-  NSString* common_sandbox_prefix_data =
-      [NSString stringWithContentsOfFile:common_sandbox_prefix_path
-                                encoding:NSUTF8StringEncoding
-                                   error:NULL];
-
-  if (!common_sandbox_prefix_data) {
-    DLOG(FATAL) << "Failed to find the sandbox profile on disk "
-                << [common_sandbox_prefix_path fileSystemRepresentation];
+  if (sandbox_policy_resource_id == -1) {
+    // See if the embedder knows about this sandbox process type.

[jeremy, 2011/11/23 07:02:17]

*See->Check

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

Done.

+    sandbox_policy_resource_id = content::GetContentClient()->
+        GetSandboxPolicyForSandboxType(sandbox_type);
+  }
+  if (sandbox_policy_resource_id == -1) {
+    DLOG(FATAL) << "Unknown sandbox type " << sandbox_type;

[jeremy, 2011/11/23 07:02:17]

LOG_IF()
errors here should always be fatal, I know you're doing the same as the old
code, but IMHO failing hard is the right approach.

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

I turned this into a CHECK

     return nil;
   }
 
-  NSString* sandbox_profile_path =
-      [base::mac::MainAppBundle() pathForResource:sandbox_config_filename
-                                          ofType:@"sb"];
-  NSString* sandbox_data =
-      [NSString stringWithContentsOfFile:sandbox_profile_path
-                                 encoding:NSUTF8StringEncoding
-                                    error:NULL];
-
-  if (!sandbox_data) {
-    DLOG(FATAL) << "Failed to find the sandbox profile on disk "
-                << [sandbox_profile_path fileSystemRepresentation];
+  base::StringPiece sandbox_definition =
+      content::GetContentClient()->GetDataResource(sandbox_policy_resource_id);
+  if (sandbox_definition.empty()) {
+    DLOG(FATAL) << "Failed to load the sandbox profile (resource id "

[jeremy, 2011/11/23 07:02:17]

*DLOG -> LOG

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

Done.

+                << sandbox_policy_resource_id << ")";
     return nil;
   }
 
+  base::StringPiece common_sandbox_definition =
+      content::GetContentClient()->GetDataResource(IDR_COMMON_SANDBOX_POLICY);
+  if (common_sandbox_definition.empty()) {
+    DLOG(FATAL) << "Failed to load the common sandbox profile";
+    return nil;
+  }
+
+  NSString* common_sandbox_prefix_data =
+      [[NSString alloc] initWithBytes:common_sandbox_definition.data()
+                               length:common_sandbox_definition.length()
+                             encoding:NSUTF8StringEncoding];
+
+  NSString* sandbox_data =
+      [[NSString alloc] initWithBytes:sandbox_definition.data()
+                               length:sandbox_definition.length()
+                             encoding:NSUTF8StringEncoding];
+
   // Prefix sandbox_data with common_sandbox_prefix_data.
   return [common_sandbox_prefix_data stringByAppendingString:sandbox_data];
 }
 
 // static
 bool Sandbox::PostProcessSandboxProfile(
         NSString* sandbox_template,
         NSArray* comments_to_remove,
         SandboxVariableSubstitions& substitutions,
         std::string *final_sandbox_profile_str) {
@@ skipping 56 matching lines @@
        ++it) {
     final_sandbox_profile_str->append(*it);
   }
   return true;
 }
 
 
 // Turns on the OS X sandbox for this process.
 
 // static
-bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
+bool Sandbox::EnableSandbox(int sandbox_type,
                             const FilePath& allowed_dir) {
   // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
   // passed in.
-  if (sandbox_type != SANDBOX_TYPE_UTILITY) {
+  if (sandbox_type < content::SANDBOX_AFTER_TYPE_LAST_TYPE &&

[jeremy, 2011/11/23 07:02:17]

CHECK(sandbox_type < content::SANDBOX_AFTER_TYPE_LAST_TYPE);
if(...)

[jochen (gone - plz use gerrit), 2011/11/23 10:57:28]

That's not necessarily true, as the embedder might register arbitrary other
sandbox types which might allow directories

+      sandbox_type != content::SANDBOX_TYPE_UTILITY) {
     DCHECK(allowed_dir.empty())
         << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
   }
 
   NSString* sandbox_data = LoadSandboxTemplate(sandbox_type);
   if (!sandbox_data) {
     return false;
   }
 
   SandboxVariableSubstitions substitutions;
@@ skipping 93 matching lines @@
   if (HANDLE_EINTR(fcntl(fd, F_GETPATH, canonical_path)) != 0) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                  << path->value();
     return;
   }
 
   *path = FilePath(canonical_path);
 }
 
 }  // namespace sandbox