Logo Search packages:      
Sourcecode: chromium-browser version File versions  Download package

sandbox_mac.h

// Copyright (c) 2009 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_COMMON_SANDBOX_MAC_H_
#define CHROME_COMMON_SANDBOX_MAC_H_

#include "base/file_path.h"

namespace sandbox {

enum SandboxProcessType {
  SANDBOX_TYPE_RENDERER,

  // The worker processes uses the most restrictive sandbox which has almost
  // *everything* locked down. Only a couple of /System/Library/ paths and
  // some other very basic operations (e.g., reading metadata to allow
  // following symlinks) are permitted.
  SANDBOX_TYPE_WORKER,

  // Utility process is as restrictive as the worker process except full access
  // is allowed to one configurable directory.
  SANDBOX_TYPE_UTILITY,

  // Native Client sandboxes. The plugin contains trusted code and the
  // loader contains the user's untrusted code.
  SANDBOX_TYPE_NACL_PLUGIN,
  SANDBOX_TYPE_NACL_LOADER,
};

// Warm up System APIs that empirically need to be accessed before the Sandbox
// is turned on.
void SandboxWarmup();

// Turns on the OS X sandbox for this process.
// |sandbox_type| - type of Sandbox to use.
// |allowed_dir| - directory to allow access to, currently the only sandbox
// profile that supports this is SANDBOX_TYPE_UTILITY .
//
// |allowed_dir| must be a "simple" string since it's placed as is in a regex
// i.e. it must not contain quotation characters, escaping or any characters
// that might have special meaning when blindly substituted into a regular
// expression - crbug.com/26492 .
// Returns true on success, false if an error occurred enabling the sandbox.
bool EnableSandbox(SandboxProcessType sandbox_type,
                   const FilePath& allowed_dir);

}  // namespace sandbox

#endif  // CHROME_COMMON_SANDBOX_MAC_H_

Generated by  Doxygen 1.6.0   Back to index