Some tweaks to the OS X Sandbox:

chrome/renderer/renderer_main_platform_delegate_mac.mm

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/renderer_main_platform_delegate.h"
 
 #include "base/debug_util.h"
 
 #import <Foundation/Foundation.h>
 #import <ApplicationServices/ApplicationServices.h>
@@ skipping 45 matching lines @@
   {  // [-NSColor colorUsingColorSpaceName] - 10.5.6
     NSColor *color = [NSColor controlTextColor];
     [color colorUsingColorSpaceName:NSCalibratedRGBColorSpace];
   }
 
   {  // localtime() - 10.5.6
     time_t tv = {0};
     localtime(&tv);
   }
 
+  { // Gestalt() tries to read /System/Library/CoreServices/SystemVersion.plist
+    // on 10.5.6
+    int32 tmp;
+    base::SysInfo::OperatingSystemVersionNumbers(&tmp, &tmp, &tmp);
+  }
+
   {  // CGImageSourceGetStatus() - 10.6 seed release.
     // Create a png with just enough data to get everything warmed up...
     char png_header[] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A};
     NSData *data = [NSData dataWithBytes:png_header
                                   length:arraysize(png_header)];
     scoped_cftyperef<CGImageSourceRef> img(
         CGImageSourceCreateWithData((CFDataRef)data,
         NULL));
     CGImageSourceGetStatus(img);
   }
@@ skipping 22 matching lines @@
 }
 
 void RendererMainPlatformDelegate::PlatformUninitialize() {
 }
 
 bool RendererMainPlatformDelegate::InitSandboxTests(bool no_sandbox) {
   return true;
 }
 
 bool RendererMainPlatformDelegate::EnableSandbox() {
-
-  // TODO(jeremy): Remove BeingDebugged() and CacheSysInfo() calls. They are
-  // no longer required since the sandbox now allows sysctl() reads.
-
-  // This call doesn't work when the sandbox is enabled, the implementation
-  // caches it's return value so we call it here and then future calls will
-  // succeed.
-  DebugUtil::BeingDebugged();
-
-  // For the renderer, we give it a custom sandbox to lock down as tight as
-  // possible, but still be able to draw.
-
+  // For the renderer, we give it a custom sandbox to lock things down as
+  // tightly as possible, while still enabling drawing.
   NSString* sandbox_profile_path =
       [mac_util::MainAppBundle() pathForResource:@"renderer" ofType:@"sb"];
-  BOOL is_dir = NO;
-  if (![[NSFileManager defaultManager] fileExistsAtPath:sandbox_profile_path
-                                            isDirectory:&is_dir] || is_dir) {
+  NSString *sandbox_data = [NSString

[Paul Godavari, 2009/08/21 21:26:12]

nit: * should be placed consistently.

+      stringWithContentsOfFile:sandbox_profile_path
+      encoding:NSUTF8StringEncoding
+      error:nil];
+
+  if (!sandbox_data) {
     LOG(ERROR) << "Failed to find the sandbox profile on disk";
     return false;
   }
 
-  const char *sandbox_profile = [sandbox_profile_path fileSystemRepresentation];
+  // Splice the path of the user's home directory into the sandbox profile
+  // (see renderer.sb for details).
+  sandbox_data = [sandbox_data
+      stringByReplacingOccurrencesOfString:@"USER_HOMEDIR"
+                                withString:NSHomeDirectory()];
+
   char* error_buff = NULL;
-  int error = sandbox_init(sandbox_profile, SANDBOX_NAMED_EXTERNAL,
-                           &error_buff);
+  int error = sandbox_init([sandbox_data UTF8String], 0, &error_buff);
   bool success = (error == 0 && error_buff == NULL);
   if (error == -1) {
     LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff;
   }
   sandbox_free_error(error_buff);
   return success;
 }
 
 void RendererMainPlatformDelegate::RunSandboxTests() {
   // TODO(port): Run sandbox unit test here.
 }