content/common/sandbox_mac_diraccess_unittest.mm - Issue 1186233004: Refactor OS X sandbox processing and audit sandbox files

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_mac_diraccess_unittest.mm

Issue 1186233004: Refactor OS X sandbox processing and audit sandbox files (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_mac_diraccess_unittest.mm

diff --git a/content/common/sandbox_mac_diraccess_unittest.mm b/content/common/sandbox_mac_diraccess_unittest.mm

index a403ecd25634fa6847423c04df67b1c5ce830335..1e8ce8dbfefcb0675a685dc9b87c6cc141705c1f 100644

--- a/content/common/sandbox_mac_diraccess_unittest.mm

+++ b/content/common/sandbox_mac_diraccess_unittest.mm

@@ -183,41 +183,38 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {

if (!sandbox_allowed_dir)

return -1;

+ std::string final_allowed_dir;

+ EXPECT_TRUE(

+ Sandbox::QuoteStringForRegex(sandbox_allowed_dir, &final_allowed_dir));

// Build up a sandbox profile that only allows access to a single directory.

- NSString *sandbox_profile =

- @"(version 1)" \

- "(deny default)" \

- "(allow signal (target self))" \

- "(allow sysctl-read)" \

- ";ENABLE_DIRECTORY_ACCESS";

- std::string allowed_dir(sandbox_allowed_dir);

- Sandbox::SandboxVariableSubstitions substitutions;

- NSString* allow_dir_sandbox_code =

- Sandbox::BuildAllowDirectoryAccessSandboxString(

- base::FilePath(sandbox_allowed_dir),

- &substitutions);

- sandbox_profile = [sandbox_profile

- stringByReplacingOccurrencesOfString:@";ENABLE_DIRECTORY_ACCESS"

- withString:allow_dir_sandbox_code];

- std::string final_sandbox_profile_str;

- if (!Sandbox::PostProcessSandboxProfile(sandbox_profile,

- [NSArray array],

- substitutions,

- &final_sandbox_profile_str)) {

- LOG(ERROR) << "Call to PostProcessSandboxProfile() failed";

+ std::string sandbox_profile =

+ "(version 1)"

+ "(define perm_dir (param \"PERMITTED_DIR\"))"

+ "(deny default)"

+ "(allow signal (target self))"

+ "(allow sysctl-read)"

+ "(if (string? perm_dir)"

+ " (begin"

+ " (allow file-read-metadata )"

+ " (allow file-read* file-write* (regex (string-append #\"\" "

+ "perm_dir)))))";

+ // Setup the parameters to pass to the sandbox

+ SandboxCompiler compiler(sandbox_profile);

+ if (!compiler.Init()) {

+ LOG(ERROR) << "Could not initialize sandbox compiler";

return -1;

}

+ compiler.InsertStringParam("PERMITTED_DIR", final_allowed_dir);

// Enable Sandbox.

- char* error_buff = NULL;

- int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);

- if (error == -1) {

- LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff;

+ std::string error_str;

+ int error = compiler.CompileAndApplyProfile(&error_str);

+ if (error != 0) {

+ LOG(ERROR) << "Failed to Initialize Sandbox: " << error_str;

return -1;

}

- sandbox_free_error(error_buff);

// Test Sandbox.

« content/common/sandbox_mac.mm ('K') | « content/common/sandbox_mac_compiler_unittest.mm ('k') | content/content_common.gypi » ('j') | no next file with comments »