content/common/common.sb - Issue 1186233004: Refactor OS X sandbox processing and audit sandbox files

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/common.sb

Issue 1186233004: Refactor OS X sandbox processing and audit sandbox files (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Refactor OS X sandbox processing and audit sandbox files Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/common.sb

diff --git a/content/common/common.sb b/content/common/common.sb

index 79b96e0bee7db572cd20baaef2077fc4b5374474..3bdaeb008e0606c941626627c05322b8b749d564 100644

--- a/content/common/common.sb

+++ b/content/common/common.sb

@@ -7,14 +7,31 @@

; included at the start of all other sandbox configuration files in Chrome.

(version 1)

-; DISABLE_SANDBOX_DENIAL_LOGGING expands to syntax that turns off log message

+; Helper function to check if a param is set to true

+(define (param-true? str) (string=? (param str) "TRUE"))

+; Helper function to determine if a parameter is defined or not

+; Very simple function but it makes the code clearer

+(define (param-defined? str) (string? (param str)))

+; Define constants for all of the parameter strings passed in

+(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")

+(define enable-logging "ENABLE_LOGGING")

+(define component-build-workaround "COMPONENT_BUILD_WORKAROUND")

+(define perm-dir "PERMITTED_DIR")

+(define lion-or-later "LION_OR_LATER")

+(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")

+; DISABLE_SANDBOX_DENIAL_LOGGING turns off log message

; printing on sandbox exceptions; this functionality only exists on 10.6. The

; --enable-sandbox-logging flag or system versions <10.6 cause this flag to

; expand to an empty string. http://crbug.com/26621

-(deny default @DISABLE_SANDBOX_DENIAL_LOGGING@)

+(if (param-true? disable-sandbox-denial-logging)

+ (deny default (with no-log))

+ (deny default))

; Support for programmatically enabling verbose debugging.

-;ENABLE_LOGGING (debug deny)

+(if (param-true? enable-logging) (debug deny))

; Allow sending signals to self - http://crbug.com/20370

(allow signal (target self))

@@ -30,7 +47,7 @@

(allow file-read*

(regex #"^/System/Library/Frameworks($|/)")

(regex #"^/System/Library/PrivateFrameworks($|/)")

- (regex #"^/System/Library/CoreServices($|/)")) ; 10.5.6

+ (regex #"^/System/Library/CoreServices($|/)"))

; Needed for IPC on 10.6

(allow ipc-posix-shm)

@@ -42,4 +59,5 @@

; Component build workaround for a dyld bug, used on OS X <= 10.6.

; Enables reading file metadata for the Chrome bundle and its parent paths.

; http://crbug.com/127465

-@COMPONENT_BUILD_WORKAROUND@

+(if (param-defined? component-build-workaround)

+ (allow file-read-metadata ))

« no previous file with comments | « content/browser/gpu.sb ('k') | content/common/sandbox_mac.h » ('j') | content/common/sandbox_mac.h » ('J')