Refactor OS X sandbox processing and audit sandbox files

content/common/sandbox_mac.h

Index: content/common/sandbox_mac.h
diff --git a/content/common/sandbox_mac.h b/content/common/sandbox_mac.h
index 557b4fb7c87671addf373401a8ce39fe1a2dcbd6..12e500fdc0c2d5cb729c3a04cb86bdc0f243fe15 100644
--- a/content/common/sandbox_mac.h
+++ b/content/common/sandbox_mac.h
@@ -27,38 +27,36 @@ class NSString;
 
 namespace content {
 
-// Class representing a substring of the sandbox profile tagged with its type.
-class SandboxSubstring {
+// This class wraps the C-style sandbox APIs in a class to
+// ensure proper initialization and cleanup

[Robert Sesek, 2015/06/16 23:52:40]

nit: Comments should have proper punctuation. Also, you can wrap this a little
more towards the 80 column limit. Apply here and throughout the entire CL (I
didn't mark it anywhere else).

[Greg K, 2015/06/18 20:45:18]

Done.

+class CONTENT_EXPORT SandboxCompiler {

[Robert Sesek, 2015/06/16 23:52:40]

Potential future TODO: Move this to //sandbox/mac and name it
sandbox::ProfileCompiler.

[Greg K, 2015/06/18 20:45:18]

Acknowledged.

  public:
-  enum SandboxSubstringType {
-    PLAIN,    // Just a plain string, no escaping necessary.
-    LITERAL,  // Escape for use in (literal ...) expression.
-    REGEX,    // Escape for use in (regex ...) expression.
-  };
-
-  SandboxSubstring() {}
-
-  explicit SandboxSubstring(const std::string& value)
-      : value_(value),
-        type_(PLAIN) {}
-
-  SandboxSubstring(const std::string& value, SandboxSubstringType type)
-      : value_(value),
-        type_(type) {}
-
-  const std::string& value() { return value_; }
-  SandboxSubstringType type() { return type_; }
+  // Explicit out-of-line constructor

[Robert Sesek, 2015/06/16 23:52:40]

nit: remove, and line 36. This should be obvious to the reader.

[Greg K, 2015/06/18 20:45:18]

Done.

+  explicit SandboxCompiler(const std::string& profile_str);
+  // Explicit out-of-line destructor
+  ~SandboxCompiler();
+  // Initialize the sandbox parameters

[Robert Sesek, 2015/06/16 23:52:40]

When does this method need to be called? Does this need to be called before
anything else?

[Greg K, 2015/06/18 20:45:18]

Acknowledged.

+  bool Init();

[Robert Sesek, 2015/06/16 23:52:40]

nit: Place blank lines after each of these methods.

[Robert Sesek, 2015/06/16 23:52:40]

Potential idea: Remove Init() entirely, and wait to construct |params_| until
CompileAndApplyProfile. Store all the values (including duplicate copies of
"TRUE" and "FALSE", yes), in |strings_|. It makes the API a little cleaner at
the cost of a little more memory. Thoughts?

[Greg K, 2015/06/18 20:45:17]

Done.

[Greg K, 2015/06/18 20:45:18]

Done.

+  // Inserts a boolean into the parameters key/value list
+  void InsertBooleanParam(const std::string& key, bool value);
+  // Inserts a string into the parameters key/value list
+  void InsertStringParam(const std::string& key, const std::string& value);
+  // Compile and apply the profile, returns 0 on success
+  int CompileAndApplyProfile(std::string* error);
 
  private:
-  std::string value_;
-  SandboxSubstringType type_;
+  // Ensure that the C++ strings are not destroyed while the

[Robert Sesek, 2015/06/16 23:52:40]

"Storage for the string parameters that are used in the profile."

[Greg K, 2015/06/18 20:45:18]

Done.

+  // parameters vector holds a pointer to their c_str()
+  std::vector<std::string> strings_;
+  void* params_;

[Robert Sesek, 2015/06/16 23:52:40]

Document these two members.

[Greg K, 2015/06/18 20:45:18]

Done.

+  void* profile_;
+  const std::string profile_str_;
+
+  DISALLOW_COPY_AND_ASSIGN(SandboxCompiler);
 };
 
 class CONTENT_EXPORT Sandbox {
  public:
-  // A map of variable name -> string to substitute in its place.
-  typedef base::hash_map<std::string, SandboxSubstring>
-      SandboxVariableSubstitions;
 
   // Warm up System APIs that empirically need to be accessed before the
   // sandbox is turned on. |sandbox_type| is the type of sandbox to warm up.
@@ -80,58 +78,6 @@ class CONTENT_EXPORT Sandbox {
   // Returns true if the sandbox has been enabled for the current process.
   static bool SandboxIsCurrentlyActive();
 
-  // Exposed for testing purposes, used by an accessory function of our tests
-  // so we can't use FRIEND_TEST.
-
-  // Build the Sandbox command necessary to allow access to a named directory
-  // indicated by |allowed_dir|.
-  // Returns a string containing the sandbox profile commands necessary to allow
-  // access to that directory or nil if an error occured.
-
-  // The header comment for PostProcessSandboxProfile() explains how variable
-  // substition works in sandbox templates.
-  // The returned string contains embedded variables. The function fills in
-  // |substitutions| to contain the values for these variables.
-  static NSString* BuildAllowDirectoryAccessSandboxString(
-                       const base::FilePath& allowed_dir,
-                       SandboxVariableSubstitions* substitutions);
-
-  // Assemble the final sandbox profile from a template by removing comments
-  // and substituting variables.
-  //
-  // |sandbox_template| is a string which contains 2 entitites to operate on:
-  //
-  // - Comments - The sandbox comment syntax is used to make the OS sandbox
-  // optionally ignore commands it doesn't support. e.g.
-  // ;10.6_ONLY (foo)
-  // Where (foo) is some command that is only supported on OS X 10.6.
-  // The ;10.6_ONLY comment can then be removed from the template to enable
-  // (foo) as appropriate.
-  //
-  // - Variables - denoted by @variable_name@ .  These are defined in the
-  // sandbox template in cases where another string needs to be substituted at
-  // runtime. e.g. @HOMEDIR_AS_LITERAL@ is substituted at runtime for the user's
-  // home directory escaped appropriately for a (literal ...) expression.
-  //
-  // |comments_to_remove| is a list of NSStrings containing the comments to
-  // remove.
-  // |substitutions| is a hash of "variable name" -> "string to substitute".
-  // Where the replacement string is tagged with information on how it is to be
-  // escaped e.g. used as part of a regex string or a literal.
-  //
-  // On output |final_sandbox_profile_str| contains the final sandbox profile.
-  // Returns true on success, false otherwise.
-  static bool PostProcessSandboxProfile(
-                  NSString* in_sandbox_data,
-                  NSArray* comments_to_remove,
-                  SandboxVariableSubstitions& substitutions,
-                  std::string *final_sandbox_profile_str);
-
- private:
-  // Returns an (allow file-read-metadata) rule for |allowed_path| and all its
-  // parent directories.
-  static NSString* AllowMetadataForPath(const base::FilePath& allowed_path);
-
   // Escape |src_utf8| for use in a plain string variable in a sandbox
   // configuraton file.  On return |dst| is set to the quoted output.
   // Returns: true on success, false otherwise.
@@ -152,6 +98,7 @@ class CONTENT_EXPORT Sandbox {
   static bool QuoteStringForRegex(const std::string& str_utf8,
                                   std::string* dst);
 
+ private:
   // Convert provided path into a "canonical" path matching what the Sandbox
   // expects i.e. one without symlinks.
   // This path is not necessarily unique e.g. in the face of hardlinks.