| Index: content/common/common.sb
|
| diff --git a/content/common/common.sb b/content/common/common.sb
|
| index a3cf89b96c2b002bc846c086c2ffeffaa76f83ee..79b96e0bee7db572cd20baaef2077fc4b5374474 100644
|
| --- a/content/common/common.sb
|
| +++ b/content/common/common.sb
|
| @@ -7,30 +7,14 @@
|
| ; included at the start of all other sandbox configuration files in Chrome.
|
| (version 1)
|
|
|
| -; Helper function to check if a param is set to true.
|
| -(define (param-true? str) (string=? (param str) "TRUE"))
|
| -
|
| -; Helper function to determine if a parameter is defined or not.
|
| -(define (param-defined? str) (string? (param str)))
|
| -
|
| -; Define constants for all of the parameter strings passed in.
|
| -(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
|
| -(define enable-logging "ENABLE_LOGGING")
|
| -(define component-build-workaround "COMPONENT_BUILD_WORKAROUND")
|
| -(define permitted-dir "PERMITTED_DIR")
|
| -(define lion-or-later "LION_OR_LATER")
|
| -(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
|
| -
|
| -; Consumes a subpath and appends it to the user's homedir path.
|
| -(define (user-homedir-path subpath) (string-append (param homedir-as-literal) subpath))
|
| -
|
| -; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
|
| -(if (param-true? disable-sandbox-denial-logging)
|
| - (deny default (with no-log))
|
| - (deny default))
|
| +; DISABLE_SANDBOX_DENIAL_LOGGING expands to syntax that turns off log message
|
| +; printing on sandbox exceptions; this functionality only exists on 10.6. The
|
| +; --enable-sandbox-logging flag or system versions <10.6 cause this flag to
|
| +; expand to an empty string. http://crbug.com/26621
|
| +(deny default @DISABLE_SANDBOX_DENIAL_LOGGING@)
|
|
|
| ; Support for programmatically enabling verbose debugging.
|
| -(if (param-true? enable-logging) (debug deny))
|
| +;ENABLE_LOGGING (debug deny)
|
|
|
| ; Allow sending signals to self - http://crbug.com/20370
|
| (allow signal (target self))
|
| @@ -38,20 +22,24 @@
|
| ; Needed for full-page-zoomed controls - http://crbug.com/11325
|
| (allow sysctl-read)
|
|
|
| +; Each line is marked with the System version that needs it.
|
| +; This profile is tested with the following system versions:
|
| +; 10.5.6, 10.6
|
| +
|
| ; Loading System Libraries.
|
| (allow file-read*
|
| (regex #"^/System/Library/Frameworks($|/)")
|
| (regex #"^/System/Library/PrivateFrameworks($|/)")
|
| - (regex #"^/System/Library/CoreServices($|/)"))
|
| + (regex #"^/System/Library/CoreServices($|/)")) ; 10.5.6
|
|
|
| +; Needed for IPC on 10.6
|
| (allow ipc-posix-shm)
|
|
|
| ; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
|
| ; third party code (eg: bits of Adobe Flash and NSS) to function properly.
|
| (allow file-read-data file-read-metadata (literal "/dev/urandom"))
|
|
|
| +; Component build workaround for a dyld bug, used on OS X <= 10.6.
|
| ; Enables reading file metadata for the Chrome bundle and its parent paths.
|
| ; http://crbug.com/127465
|
| -(if (and (param-defined? component-build-workaround)
|
| - (param-true? component-build-workaround))
|
| - (allow file-read-metadata ))
|
| +@COMPONENT_BUILD_WORKAROUND@
|
|
|
Chromium Code Reviews
Issue 1213113006:
Revert of Refactor OS X sandbox processing and audit sandbox files (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master