| Index: content/common/common.sb
|
| diff --git a/content/common/common.sb b/content/common/common.sb
|
| index 79b96e0bee7db572cd20baaef2077fc4b5374474..a3cf89b96c2b002bc846c086c2ffeffaa76f83ee 100644
|
| --- a/content/common/common.sb
|
| +++ b/content/common/common.sb
|
| @@ -7,14 +7,30 @@
|
| ; included at the start of all other sandbox configuration files in Chrome.
|
| (version 1)
|
|
|
| -; DISABLE_SANDBOX_DENIAL_LOGGING expands to syntax that turns off log message
|
| -; printing on sandbox exceptions; this functionality only exists on 10.6. The
|
| -; --enable-sandbox-logging flag or system versions <10.6 cause this flag to
|
| -; expand to an empty string. http://crbug.com/26621
|
| -(deny default @DISABLE_SANDBOX_DENIAL_LOGGING@)
|
| +; Helper function to check if a param is set to true.
|
| +(define (param-true? str) (string=? (param str) "TRUE"))
|
| +
|
| +; Helper function to determine if a parameter is defined or not.
|
| +(define (param-defined? str) (string? (param str)))
|
| +
|
| +; Define constants for all of the parameter strings passed in.
|
| +(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
|
| +(define enable-logging "ENABLE_LOGGING")
|
| +(define component-build-workaround "COMPONENT_BUILD_WORKAROUND")
|
| +(define permitted-dir "PERMITTED_DIR")
|
| +(define lion-or-later "LION_OR_LATER")
|
| +(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
|
| +
|
| +; Consumes a subpath and appends it to the user's homedir path.
|
| +(define (user-homedir-path subpath) (string-append (param homedir-as-literal) subpath))
|
| +
|
| +; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
|
| +(if (param-true? disable-sandbox-denial-logging)
|
| + (deny default (with no-log))
|
| + (deny default))
|
|
|
| ; Support for programmatically enabling verbose debugging.
|
| -;ENABLE_LOGGING (debug deny)
|
| +(if (param-true? enable-logging) (debug deny))
|
|
|
| ; Allow sending signals to self - http://crbug.com/20370
|
| (allow signal (target self))
|
| @@ -22,24 +38,20 @@
|
| ; Needed for full-page-zoomed controls - http://crbug.com/11325
|
| (allow sysctl-read)
|
|
|
| -; Each line is marked with the System version that needs it.
|
| -; This profile is tested with the following system versions:
|
| -; 10.5.6, 10.6
|
| -
|
| ; Loading System Libraries.
|
| (allow file-read*
|
| (regex #"^/System/Library/Frameworks($|/)")
|
| (regex #"^/System/Library/PrivateFrameworks($|/)")
|
| - (regex #"^/System/Library/CoreServices($|/)")) ; 10.5.6
|
| + (regex #"^/System/Library/CoreServices($|/)"))
|
|
|
| -; Needed for IPC on 10.6
|
| (allow ipc-posix-shm)
|
|
|
| ; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
|
| ; third party code (eg: bits of Adobe Flash and NSS) to function properly.
|
| (allow file-read-data file-read-metadata (literal "/dev/urandom"))
|
|
|
| -; Component build workaround for a dyld bug, used on OS X <= 10.6.
|
| ; Enables reading file metadata for the Chrome bundle and its parent paths.
|
| ; http://crbug.com/127465
|
| -@COMPONENT_BUILD_WORKAROUND@
|
| +(if (and (param-defined? component-build-workaround)
|
| + (param-true? component-build-workaround))
|
| + (allow file-read-metadata ))
|
|
|
Chromium Code Reviews
Issue 1186233004:
Refactor OS X sandbox processing and audit sandbox files (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master