[Mac] Shut down connections to WindowServer before engaging the sandbox.

content/common/sandbox_mac.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_mac.h"
 
 #import <Cocoa/Cocoa.h>
 
 #include <CoreFoundation/CFTimeZone.h>
 extern "C" {
@@ skipping 20 matching lines @@
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/sys_info.h"
 #include "content/grit/content_resources.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "third_party/icu/source/common/unicode/uchar.h"
 #include "ui/base/layout.h"
 #include "ui/gl/gl_surface.h"
 
+extern "C" {
+void CGSSetDenyWindowServerConnections(bool);
+void CGSShutdownServerConnections();
+};
+
 namespace content {
 namespace {
 
 // Is the sandbox currently active.
 bool gSandboxIsActive = false;
 
 struct SandboxTypeToResourceIDMapping {
   SandboxType sandbox_type;
   int sandbox_profile_resource_id;
 };
@@ skipping 210 matching lines @@
     base::ScopedCFTypeRef<CGContextRef> context(CGBitmapContextCreate(
         data,
         1,
         1,
         8,
         1 * 4,
         rgb_colorspace,
         kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host));
 
     // Load in the color profiles we'll need (as a side effect).
-    (void) base::mac::GetSRGBColorSpace();
-    (void) base::mac::GetSystemColorSpace();
+    ignore_result(base::mac::GetSRGBColorSpace());
+    ignore_result(base::mac::GetSystemColorSpace());
 
     // CGColorSpaceCreateSystemDefaultCMYK - 10.6
     base::ScopedCFTypeRef<CGColorSpaceRef> cmyk_colorspace(
         CGColorSpaceCreateWithName(kCGColorSpaceGenericCMYK));
   }
 
   { // localtime() - 10.5.6
     time_t tv = {0};
     localtime(&tv);
   }
@@ skipping 35 matching lines @@
     // Preload either the desktop GL or the osmesa so, depending on the
     // --use-gl flag.
     gfx::GLSurface::InitializeOneOff();
   }
 
   if (sandbox_type == SANDBOX_TYPE_PPAPI) {
     // Preload AppKit color spaces used for Flash/ppapi. http://crbug.com/348304
     NSColor* color = [NSColor controlTextColor];
     [color colorUsingColorSpaceName:NSCalibratedRGBColorSpace];
   }
+
+  if (sandbox_type == SANDBOX_TYPE_RENDERER &&
+      base::mac::IsOSMountainLionOrLater()) {
+    // Now disconnect from WindowServer, after all objects have been warmed up.
+    // Shutting down the connection requires connecting to WindowServer,
+    // so do this before actually engaging the sandbox. This is only done on
+    // 10.8 and higher because doing it on earlier OSes causes layout tests to
+    // fail <http://crbug.com/397642#c48>. This may cause two log messages to
+    // be printed to the system logger on certain OS versions.
+    CGSSetDenyWindowServerConnections(true);
+    CGSShutdownServerConnections();
+  }
 }
 
 // static
 NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
     const base::FilePath& allowed_dir,
     SandboxVariableSubstitions* substitutions) {
   // A whitelist is used to determine which directories can be statted
   // This means that in the case of an /a/b/c/d/ directory, we may be able to
   // stat the leaf directory, but not its parent.
   // The extension code in Chrome calls realpath() which fails if it can't call
@@ skipping 276 matching lines @@
   if (HANDLE_EINTR(fcntl(fd.get(), F_GETPATH, canonical_path)) != 0) {
     DPLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "
                  << path.value();
     return path;
   }
 
   return base::FilePath(canonical_path);
 }
 
 }  // namespace content