Load mac sandbox definitions from resources instead of the bundle.

content/common/sandbox_mac.mm

Index: content/common/sandbox_mac.mm
diff --git a/content/common/sandbox_mac.mm b/content/common/sandbox_mac.mm
index d1ab290e5080afcf74412547069eddee074ac14e..43d3a769b8fe32ffc42032b8680f917a7a50c03a 100644
--- a/content/common/sandbox_mac.mm
+++ b/content/common/sandbox_mac.mm
@@ -21,13 +21,16 @@ extern "C" {
 #include "base/mac/scoped_cftyperef.h"
 #include "base/mac/scoped_nsautorelease_pool.h"
 #include "base/string16.h"
+#include "base/string_piece.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/sys_info.h"
 #include "base/sys_string_conversions.h"
 #include "base/utf_string_conversions.h"
 #include "content/common/chrome_application_mac.h"
+#include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
+#include "grit/content_resources.h"

[jam, 2011/11/17 01:50:46]

initially when separating content from chrome, we couldn't include files from
grit/ because of circular dependencies with chrome. i guess this now solved
because of your earlier patch to create content_resources?

i'm a little worried that people will start including chrome resources now
though. can we make content/DEPS only allow content_resources.h and
webkit_strings.h?

 #include "unicode/uchar.h"
 #include "ui/gfx/gl/gl_surface.h"
 
@@ -190,7 +193,7 @@ bool Sandbox::QuoteStringForRegex(const std::string& str_utf8,
 //     10.5.6, 10.6.0
 
 // static
-void Sandbox::SandboxWarmup(SandboxProcessType sandbox_type) {
+void Sandbox::SandboxWarmup(int sandbox_definition_resource_id) {
   base::mac::ScopedNSAutoreleasePool scoped_pool;
 
   { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6
@@ -247,18 +250,10 @@ void Sandbox::SandboxWarmup(SandboxProcessType sandbox_type) {
   }
 
   // Process-type dependent warm-up.
-  switch (sandbox_type) {
-    case SANDBOX_TYPE_GPU:
-      {
-         // Preload either the desktop GL or the osmesa so, depending on the
-         // --use-gl flag.
-         gfx::GLSurface::InitializeOneOff();
-      }
-      break;
-
-    default:
-      // To shut up a gcc warning.
-      break;
+  if (sandbox_definition_resource_id == IDR_GPU_SANDBOX_DEFINITION) {
+    // Preload either the desktop GL or the osmesa so, depending on the
+    // --use-gl flag.
+    gfx::GLSurface::InitializeOneOff();
   }
 }
 
@@ -324,64 +319,36 @@ NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
 
 // Load the appropriate template for the given sandbox type.
 // Returns the template as an NSString or nil on error.
-NSString* LoadSandboxTemplate(Sandbox::SandboxProcessType sandbox_type) {
-  // We use a custom sandbox definition file to lock things down as
-  // tightly as possible.
-  NSString* sandbox_config_filename = nil;
-  switch (sandbox_type) {
-    case Sandbox::SANDBOX_TYPE_RENDERER:
-      sandbox_config_filename = @"renderer";
-      break;
-    case Sandbox::SANDBOX_TYPE_WORKER:
-      sandbox_config_filename = @"worker";
-      break;
-    case Sandbox::SANDBOX_TYPE_UTILITY:
-      sandbox_config_filename = @"utility";
-      break;
-    case Sandbox::SANDBOX_TYPE_NACL_LOADER:
-      // The Native Client loader is used for safeguarding the user's
-      // untrusted code within Native Client.
-      sandbox_config_filename = @"nacl_loader";
-      break;
-    case Sandbox::SANDBOX_TYPE_GPU:
-      sandbox_config_filename = @"gpu";
-      break;
-    case Sandbox::SANDBOX_TYPE_PPAPI:
-      sandbox_config_filename = @"ppapi";
-      break;
-    default:
-      NOTREACHED();
-      return nil;
+NSString* LoadSandboxTemplate(int sandbox_definition_resource_id) {
+  // We use a custom sandbox definition to lock things down as tightly as
+  // possible.
+  base::StringPiece sandbox_definition =
+      content::GetContentClient()->GetDataResource(
+          sandbox_definition_resource_id);
+  if (sandbox_definition.empty()) {
+    DLOG(FATAL) << "Failed to load the sandbox profile (resource id "
+                << sandbox_definition_resource_id << ")";
+    return nil;
   }
 
-  // Read in the sandbox profile and the common prefix file.
-  NSString* common_sandbox_prefix_path =
-      [base::mac::MainAppBundle() pathForResource:@"common"
-                                          ofType:@"sb"];
-  NSString* common_sandbox_prefix_data =
-      [NSString stringWithContentsOfFile:common_sandbox_prefix_path
-                                encoding:NSUTF8StringEncoding
-                                   error:NULL];
-
-  if (!common_sandbox_prefix_data) {
-    DLOG(FATAL) << "Failed to find the sandbox profile on disk "
-                << [common_sandbox_prefix_path fileSystemRepresentation];
+  base::StringPiece common_sandbox_definition =
+      content::GetContentClient()->GetDataResource(
+          IDR_COMMON_SANDBOX_DEFINITION);
+  if (common_sandbox_definition.empty()) {
+    DLOG(FATAL) << "Failed to load the common sandbox profile";
     return nil;
   }
 
-  NSString* sandbox_profile_path =
-      [base::mac::MainAppBundle() pathForResource:sandbox_config_filename
-                                          ofType:@"sb"];
+  NSString* common_sandbox_prefix_data =
+      [[NSString alloc] initWithBytes:common_sandbox_definition.data()
+                               length:common_sandbox_definition.length()
+                             encoding:NSUTF8StringEncoding];
+
   NSString* sandbox_data =
-      [NSString stringWithContentsOfFile:sandbox_profile_path
-                                 encoding:NSUTF8StringEncoding
-                                    error:NULL];
+      [[NSString alloc] initWithBytes:sandbox_definition.data()
+                               length:sandbox_definition.length()
+                             encoding:NSUTF8StringEncoding];
 
-  if (!sandbox_data) {
-    DLOG(FATAL) << "Failed to find the sandbox profile on disk "
-                << [sandbox_profile_path fileSystemRepresentation];
-    return nil;
-  }
 
   // Prefix sandbox_data with common_sandbox_prefix_data.
   return [common_sandbox_prefix_data stringByAppendingString:sandbox_data];
@@ -459,16 +426,16 @@ bool Sandbox::PostProcessSandboxProfile(
 // Turns on the OS X sandbox for this process.
 
 // static
-bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
+bool Sandbox::EnableSandbox(int sandbox_definition_resource_id,
                             const FilePath& allowed_dir) {
-  // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
-  // passed in.
-  if (sandbox_type != SANDBOX_TYPE_UTILITY) {
-    DCHECK(allowed_dir.empty())
-        << "Only SANDBOX_TYPE_UTILITY allows a custom directory parameter.";
+  // Sanity - currently only IDR_UTILITY_SANDBOX_DEFINITION supports a
+  // directory being passed in.
+  if (sandbox_definition_resource_id != IDR_UTILITY_SANDBOX_DEFINITION) {
+    DCHECK(allowed_dir.empty()) << "Only IDR_UTILITY_SANDBOX_DEFINITION allows"
+        << " a custom directory parameter.";
   }
 
-  NSString* sandbox_data = LoadSandboxTemplate(sandbox_type);
+  NSString* sandbox_data = LoadSandboxTemplate(sandbox_definition_resource_id);
   if (!sandbox_data) {
     return false;
   }