Refactor OS X sandbox processing and audit sandbox files

content/common/sandbox_mac_diraccess_unittest.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import <Cocoa/Cocoa.h>
 #include <dirent.h>
 
 extern "C" {
 #include <sandbox.h>
 }
@@ skipping 165 matching lines @@
 
     EXPECT_TRUE(CheckSandbox(sandbox_dir.value()));
   }
 }
 
 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
   char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey);
   if (!sandbox_allowed_dir)
     return -1;
 
+  std::string final_allowed_dir;
+  EXPECT_TRUE(
+      Sandbox::QuoteStringForRegex(sandbox_allowed_dir, &final_allowed_dir));
+
   // Build up a sandbox profile that only allows access to a single directory.
-  NSString *sandbox_profile =
-      @"(version 1)" \
-      "(deny default)" \
-      "(allow signal (target self))" \
-      "(allow sysctl-read)" \
-      ";ENABLE_DIRECTORY_ACCESS";
+  std::string sandbox_profile =
+      "(version 1)"
+      "(define perm_dir (param \"PERMITTED_DIR\"))"
+      "(deny default)"
+      "(allow signal (target self))"
+      "(allow sysctl-read)"
+      "(if (string? perm_dir)"
+      "    (begin"
+      "       (allow file-read-metadata )"
+      "       (allow file-read* file-write* (regex (string-append #\"\" "
+      "perm_dir)))))";
 
-  std::string allowed_dir(sandbox_allowed_dir);
-  Sandbox::SandboxVariableSubstitions substitutions;
-  NSString* allow_dir_sandbox_code =
-      Sandbox::BuildAllowDirectoryAccessSandboxString(
-          base::FilePath(sandbox_allowed_dir),
-          &substitutions);
-  sandbox_profile = [sandbox_profile
-      stringByReplacingOccurrencesOfString:@";ENABLE_DIRECTORY_ACCESS"
-                                withString:allow_dir_sandbox_code];
+  // Setup the parameters to pass to the sandbox.
+  SandboxCompiler compiler(sandbox_profile);
+  CHECK(compiler.InsertStringParam("PERMITTED_DIR", final_allowed_dir));
 
-  std::string final_sandbox_profile_str;
-  if (!Sandbox::PostProcessSandboxProfile(sandbox_profile,
-                                          [NSArray array],
-                                          substitutions,
-                                          &final_sandbox_profile_str)) {
-    LOG(ERROR) << "Call to PostProcessSandboxProfile() failed";
+  // Enable Sandbox.
+  std::string error_str;
+  if (!compiler.CompileAndApplyProfile(&error_str)) {
+    LOG(ERROR) << "Failed to Initialize Sandbox: " << error_str;
     return -1;
   }
 
-  // Enable Sandbox.
-  char* error_buff = NULL;
-  int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);
-  if (error == -1) {
-    LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff;
-    return -1;
-  }
-  sandbox_free_error(error_buff);
-
   // Test Sandbox.
 
   // We should be able to list the contents of the sandboxed directory.
   DIR *file_list = NULL;
   file_list = opendir(sandbox_allowed_dir);
   if (!file_list) {
     PLOG(ERROR) << "Sandbox overly restrictive: call to opendir("
                 << sandbox_allowed_dir
                 << ") failed";
     return -1;
@@ skipping 68 matching lines @@
     PLOG(ERROR) << "Sandbox breach: was able to write ("
                 << denied_file2.value()
                 << ")";
     return -1;
   }
 
   return 0;
 }
 
 }  // namespace content