Add the SeatbeltExec classes to facilitate the V2 sandbox.

sandbox/mac/seatbelt_exec.h

Index: sandbox/mac/seatbelt_exec.h
diff --git a/sandbox/mac/seatbelt_exec.h b/sandbox/mac/seatbelt_exec.h
new file mode 100644
index 0000000000000000000000000000000000000000..91fa22c1c52d237b010d9ba65720eab9baa959f4
--- /dev/null
+++ b/sandbox/mac/seatbelt_exec.h
@@ -0,0 +1,82 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_MAC_SEATBELT_EXEC_H_
+#define SANDBOX_MAC_SEATBELT_EXEC_H_
+
+#include <string>
+#include <unordered_map>
+
+#include "base/compiler_specific.h"
+#include "sandbox/mac/seatbelt.pb.h"
+#include "seatbelt_export.h"

[Robert Sesek, 2017/05/15 21:05:24]

nit: fully-qualified include paths

[Greg K, 2017/05/17 17:57:24]

Done.

+
+namespace sandbox {
+
+// SeatbeltExecClient is used by the process that is launching another sandboxed
+// process. The API allows the launcher process to supply a sandbox profile and
+// parameters, which will be communicated to the sandboxed process over IPC.
+class SEATBELT_EXPORT SeatbeltExecClient {
+ public:
+  SeatbeltExecClient();
+  ~SeatbeltExecClient();
+
+  // The Set*Parameter functions return true if the parameter was successfully
+  // inserted. Check the return value, which indicates if the parameter was
+  // added successfully.
+
+  // Set a boolean parameter in the sandbox profile.
+  bool SetBooleanParameter(const std::string& key,
+                           bool value) WARN_UNUSED_RESULT;
+  // Set a string parameter in the sandbox profile.
+  bool SetParameter(const std::string& key,
+                    const std::string& value) WARN_UNUSED_RESULT;
+  // Set the actual sandbox profile, using the scheme-like SBPL.

[Robert Sesek, 2017/05/15 21:05:24]

nit: blank line above

[Greg K, 2017/05/17 17:57:24]

Done.

+  void SetProfile(const char* policy);

[Robert Sesek, 2017/05/15 21:05:24]

|const char*| -> |base::StringPiece|

May also want to do the above Set*Parameter functions, so that an implicit
conversion to std::string can be avoided for const char keys.

[Greg K, 2017/05/17 17:57:24]

Done.

+  // Sends the policy to the SeatbeltExecServer and returns the communication

[Robert Sesek, 2017/05/15 21:05:24]

nit: blank line above

[Greg K, 2017/05/17 17:57:24]

Done.

+  // FD.

[Robert Sesek, 2017/05/15 21:05:24]

What is the caller supposed to do with the FD?

[Greg K, 2017/05/17 17:57:24]

Done.

+  int SendProfileAndGetFD();
+
+  // Returns the underlying protobuf for testing purposes.
+  const sandbox::mac::SandboxPolicy& GetPolicyForTesting() { return policy_; }
+
+ private:
+  // This writes a string (the serialized protobuf) to the |pipe_|.
+  bool WriteString(const std::string& str);
+
+  // This is the protobuf which contains the sandbox profile and parameters,
+  // and is serialized and sent to the other process.
+  sandbox::mac::SandboxPolicy policy_;
+
+  // A file descriptor pair used for interprocess communication.
+  int pipe_[2];
+};
+
+// SeatbeltExecServer is used by the process that will be sandboxed to receive
+// the profile and parameters from the launcher process. It can then initialize
+// the profiel, sandboxing the process.

[Robert Sesek, 2017/05/15 21:05:24]

spelling: profile

[Greg K, 2017/05/17 17:57:24]

Done.

+class SEATBELT_EXPORT SeatbeltExecServer {
+ public:
+  explicit SeatbeltExecServer(int sandbox_fd);
+  ~SeatbeltExecServer();
+
+  // Read the parameters and policy from the client, and apply the sandbox. This
+  // returns 0 on success, otherwise -1.

[Robert Sesek, 2017/05/15 21:05:24]

Should this function and the one below just return bool then?

[Greg K, 2017/05/17 17:57:24]

Done.

+  int InitializeSandbox();
+
+  // Applies the given sandbox profile, and returns 0 on success, otherwise -1.
+  int ApplySandboxProfile(const mac::SandboxPolicy& sandbox_policy);

[Robert Sesek, 2017/05/15 21:05:24]

Does this need to be public?

[Greg K, 2017/05/17 17:57:24]

If this method isn't public, it's hard to test from the multiprocess unit test.
And ifs called "*ForTesting," then it cannot be called from the
InitializeSandbox() method.

[Robert Sesek, 2017/05/17 18:35:26]

Got it. How about making it static then?

+
+ private:
+  // Reads from the |fd_| and stores the data into a string. This does
+  // not append a NUL terminator as protobuf does not expect one.
+  bool ReadString(std::string* string);
+
+  // The file descriptor used to communicate with the launcher process.
+  int fd_;

[Robert Sesek, 2017/05/15 21:05:24]

Maybe ScopedFD? Maybe also for pipe_ above but it's probably a bit more clumsy
there.

[Greg K, 2017/05/17 17:57:24]

Done. And I do think it's a bit clumsy for the pipe_.

+};
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_MAC_SEATBELT_EXEC_H_