Load mac sandbox definitions from resources instead of the bundle.

content/common/sandbox_mac.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_COMMON_SANDBOX_MAC_H_
 #define CONTENT_COMMON_SANDBOX_MAC_H_
 #pragma once
 
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/hash_tables.h"
 #include "base/gtest_prod_util.h"
+#include "content/public/common/sandbox_type_mac.h"
 
 class FilePath;
 
 #if __OBJC__
 @class NSArray;
 @class NSString;
 #else
 class NSArray;
 class NSString;
 #endif
@@ skipping 26 matching lines @@
   std::string value_;
   SandboxSubstringType type_;
 };
 
 class Sandbox {
  public:
   // A map of variable name -> string to substitute in its place.
   typedef base::hash_map<std::string, SandboxSubstring>
       SandboxVariableSubstitions;
 
-  enum SandboxProcessType {
-    SANDBOX_TYPE_FIRST_TYPE,  // Placeholder to ease iteration.
-
-    SANDBOX_TYPE_RENDERER = SANDBOX_TYPE_FIRST_TYPE,
-
-    // The worker process uses the most restrictive sandbox which has almost
-    // *everything* locked down. Only a couple of /System/Library/ paths and
-    // some other very basic operations (e.g., reading metadata to allow
-    // following symlinks) are permitted.
-    SANDBOX_TYPE_WORKER,
-
-    // Utility process is as restrictive as the worker process except full
-    // access is allowed to one configurable directory.
-    SANDBOX_TYPE_UTILITY,
-
-    // Native Client sandbox for the user's untrusted code.
-    SANDBOX_TYPE_NACL_LOADER,
-
-    // GPU process.
-    SANDBOX_TYPE_GPU,
-
-    // The PPAPI plugin process.
-    SANDBOX_TYPE_PPAPI,
-
-    SANDBOX_AFTER_TYPE_LAST_TYPE,  // Placeholder to ease iteration.
-  };
-
-  // Warm up System APIs that empirically need to be accessed before the Sandbox
-  // is turned on. |sandbox_type| is the type of sandbox to warm up.
-  static void SandboxWarmup(SandboxProcessType sandbox_type);
+  // Warm up System APIs that empirically need to be accessed before the
+  // sandbox is turned on. |sandbox_type| is the type of sandbox to warm up.
+  // Valid |sandbox_type| values are defined by the enum SandboxType, or can be
+  // defined by the embedder via
+  // ContentClient::GetSandboxProfileForProcessType().
+  static void SandboxWarmup(int sandbox_type);
 
   // Turns on the OS X sandbox for this process.
-  // |sandbox_type| - type of Sandbox to use.
+  // |sandbox_type| - type of Sandbox to use. See SandboxWarmup() for legal
+  // values.
   // |allowed_dir| - directory to allow access to, currently the only sandbox
   // profile that supports this is SANDBOX_TYPE_UTILITY .
   //
   // Returns true on success, false if an error occurred enabling the sandbox.
-  static bool EnableSandbox(SandboxProcessType sandbox_type,
+  static bool EnableSandbox(int sandbox_type,
                             const FilePath& allowed_dir);
 
 
   // Exposed for testing purposes, used by an accessory function of our tests
   // so we can't use FRIEND_TEST.
 
   // Build the Sandbox command necessary to allow access to a named directory
   // indicated by |allowed_dir|.
   // Returns a string containing the sandbox profile commands necessary to allow
   // access to that directory or nil if an error occured.
@@ skipping 66 matching lines @@
   FRIEND_TEST(MacDirAccessSandboxTest, StringEscape);
   FRIEND_TEST(MacDirAccessSandboxTest, RegexEscape);
   FRIEND_TEST(MacDirAccessSandboxTest, DISABLED_SandboxAccess);
 
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };
 
 }  // namespace sandbox
 
 #endif  // CONTENT_COMMON_SANDBOX_MAC_H_