Refactor OS X sandbox processing and audit sandbox files

content/common/sandbox_mac.h

Index: content/common/sandbox_mac.h
diff --git a/content/common/sandbox_mac.h b/content/common/sandbox_mac.h
index 557b4fb7c87671addf373401a8ce39fe1a2dcbd6..54ac063ecf52be5dbb76a63cd1a44a90811d0801 100644
--- a/content/common/sandbox_mac.h
+++ b/content/common/sandbox_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.

[jln (very slow on Chromium), 2015/06/16 18:18:12]

Don't change the date in existing file (for new files, the "(c)" is no longer
needed)

 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -27,38 +27,38 @@ class NSString;
 
 namespace content {
 
-// Class representing a substring of the sandbox profile tagged with its type.
-class SandboxSubstring {
+// This class wraps the C-style sandbox APIs in a class to
+// ensure proper initialization and cleanup
+class CONTENT_EXPORT SandboxCompiler {
  public:
-  enum SandboxSubstringType {
-    PLAIN,    // Just a plain string, no escaping necessary.
-    LITERAL,  // Escape for use in (literal ...) expression.
-    REGEX,    // Escape for use in (regex ...) expression.
-  };
-
-  SandboxSubstring() {}
-
-  explicit SandboxSubstring(const std::string& value)
-      : value_(value),
-        type_(PLAIN) {}
-
-  SandboxSubstring(const std::string& value, SandboxSubstringType type)
-      : value_(value),
-        type_(type) {}
-
-  const std::string& value() { return value_; }
-  SandboxSubstringType type() { return type_; }
+  // Explicit out-of-line constructor
+  explicit SandboxCompiler(const std::string& profile_str);
+  // Explicit out-of-line destructor
+  ~SandboxCompiler();
+  // Disable copy constructor

[jln (very slow on Chromium), 2015/06/16 18:18:12]

Use DISALLOW_COPY_AND_ASSIGN instead.

+  SandboxCompiler(const SandboxCompiler& that) = delete;
+  // Disable move constructor
+  SandboxCompiler& operator=(const SandboxCompiler& that) = delete;
+  // Initialize the sandbox parameters
+  bool Init();
+  // Inserts a boolean into the parameters key/value list
+  void InsertBooleanParam(const std::string& key, bool value);
+  // Inserts a string into the parameters key/value list
+  void InsertStringParam(const std::string& key, const std::string& value);
+  // Compile and apply the profile, returns 0 on success
+  int CompileAndApplyProfile(std::string* error);
 
  private:
-  std::string value_;
-  SandboxSubstringType type_;
+  // Ensure that the C++ strings are not destroyed while the
+  // parameters vector holds a pointer to their c_str()
+  std::vector<std::string> strings_;
+  void* params_;
+  void* profile_;
+  const std::string profile_str_;
 };
 
 class CONTENT_EXPORT Sandbox {
  public:
-  // A map of variable name -> string to substitute in its place.
-  typedef base::hash_map<std::string, SandboxSubstring>
-      SandboxVariableSubstitions;
 
   // Warm up System APIs that empirically need to be accessed before the
   // sandbox is turned on. |sandbox_type| is the type of sandbox to warm up.
@@ -80,58 +80,6 @@ class CONTENT_EXPORT Sandbox {
   // Returns true if the sandbox has been enabled for the current process.
   static bool SandboxIsCurrentlyActive();
 
-  // Exposed for testing purposes, used by an accessory function of our tests
-  // so we can't use FRIEND_TEST.
-
-  // Build the Sandbox command necessary to allow access to a named directory
-  // indicated by |allowed_dir|.
-  // Returns a string containing the sandbox profile commands necessary to allow
-  // access to that directory or nil if an error occured.
-
-  // The header comment for PostProcessSandboxProfile() explains how variable
-  // substition works in sandbox templates.
-  // The returned string contains embedded variables. The function fills in
-  // |substitutions| to contain the values for these variables.
-  static NSString* BuildAllowDirectoryAccessSandboxString(
-                       const base::FilePath& allowed_dir,
-                       SandboxVariableSubstitions* substitutions);
-
-  // Assemble the final sandbox profile from a template by removing comments
-  // and substituting variables.
-  //
-  // |sandbox_template| is a string which contains 2 entitites to operate on:
-  //
-  // - Comments - The sandbox comment syntax is used to make the OS sandbox
-  // optionally ignore commands it doesn't support. e.g.
-  // ;10.6_ONLY (foo)
-  // Where (foo) is some command that is only supported on OS X 10.6.
-  // The ;10.6_ONLY comment can then be removed from the template to enable
-  // (foo) as appropriate.
-  //
-  // - Variables - denoted by @variable_name@ .  These are defined in the
-  // sandbox template in cases where another string needs to be substituted at
-  // runtime. e.g. @HOMEDIR_AS_LITERAL@ is substituted at runtime for the user's
-  // home directory escaped appropriately for a (literal ...) expression.
-  //
-  // |comments_to_remove| is a list of NSStrings containing the comments to
-  // remove.
-  // |substitutions| is a hash of "variable name" -> "string to substitute".
-  // Where the replacement string is tagged with information on how it is to be
-  // escaped e.g. used as part of a regex string or a literal.
-  //
-  // On output |final_sandbox_profile_str| contains the final sandbox profile.
-  // Returns true on success, false otherwise.
-  static bool PostProcessSandboxProfile(
-                  NSString* in_sandbox_data,
-                  NSArray* comments_to_remove,
-                  SandboxVariableSubstitions& substitutions,
-                  std::string *final_sandbox_profile_str);
-
- private:
-  // Returns an (allow file-read-metadata) rule for |allowed_path| and all its
-  // parent directories.
-  static NSString* AllowMetadataForPath(const base::FilePath& allowed_path);
-
   // Escape |src_utf8| for use in a plain string variable in a sandbox
   // configuraton file.  On return |dst| is set to the quoted output.
   // Returns: true on success, false otherwise.
@@ -152,6 +100,7 @@ class CONTENT_EXPORT Sandbox {
   static bool QuoteStringForRegex(const std::string& str_utf8,
                                   std::string* dst);
 
+ private:
   // Convert provided path into a "canonical" path matching what the Sandbox
   // expects i.e. one without symlinks.
   // This path is not necessarily unique e.g. in the face of hardlinks.