#include <map>
#include <string>
#include "base/containers/hash_tables.h"
#include "base/gtest_prod_util.h"
#include "base/macros.h"
#include "content/common/content_export.h"
#include "content/public/common/sandbox_type.h"
namespace base {
class FilePath;
#if __OBJC__
@class NSArray;
@class NSString;
class NSArray;
class NSString;
namespace content {
// This class wraps the C-style sandbox APIs in a class to ensure proper
// initialization and cleanup.
class CONTENT_EXPORT SandboxCompiler {
explicit SandboxCompiler(const std::string& profile_str);
// Inserts a boolean into the parameters key/value map. A duplicate key is not
// allowed, and will cause the function to return false. The value is not
// inserted in this case.
bool InsertBooleanParam(const std::string& key, bool value);
// Inserts a string into the parameters key/value map. A duplicate key is not
// allowed, and will cause the function to return false. The value is not
// inserted in this case.
bool InsertStringParam(const std::string& key, const std::string& value);
// Compiles and applies the profile; returns true on success.
bool CompileAndApplyProfile(std::string* error);
// Frees all of the system resources allocated for the sandbox.
void FreeSandboxResources(void* profile, void* params, char* error);
// Storage of the key/value pairs of strings that are used in the sandbox
// profile.
std::map<std::string, std::string> params_map_;
// The sandbox profile source code.
const std::string profile_str_;
class CONTENT_EXPORT Sandbox {
// Warm up System APIs that empirically need to be accessed before the
// sandbox is turned on. |sandbox_type| is the type of sandbox to warm up.
// Valid |sandbox_type| values are defined by the enum SandboxType, or can be
// defined by the embedder via
// ContentClient::GetSandboxProfileForProcessType().
static void SandboxWarmup(int sandbox_type);
// Turns on the OS X sandbox for this process.
// |sandbox_type| - type of Sandbox to use. See SandboxWarmup() for legal
// values.
// |allowed_dir| - directory to allow access to, currently the only sandbox
// profile that supports this is SANDBOX_TYPE_UTILITY .
// Returns true on success, false if an error occurred enabling the sandbox.
static bool EnableSandbox(int sandbox_type,
const base::FilePath& allowed_dir);
// Returns true if the sandbox has been enabled for the current process.
static bool SandboxIsCurrentlyActive();
// Escape |src_utf8| for use in a plain string variable in a sandbox
// configuraton file. On return |dst| is set to the quoted output.
// Returns: true on success, false otherwise.
static bool QuotePlainString(const std::string& src_utf8, std::string* dst);
// Escape |str_utf8| for use in a regex literal in a sandbox
// configuraton file. On return |dst| is set to the utf-8 encoded quoted
// output.
// The implementation of this function is based on empirical testing of the
// OS X sandbox on 10.5.8 & 10.6.2 which is undocumented and subject to
// change.
// Note: If str_utf8 contains any characters < 32 || >125 then the function
// fails and false is returned.
// Returns: true on success, false otherwise.
static bool QuoteStringForRegex(const std::string& str_utf8,
std::string* dst);
// Convert provided path into a "canonical" path matching what the Sandbox
// expects i.e. one without symlinks.
// This path is not necessarily unique e.g. in the face of hardlinks.
static base::FilePath GetCanonicalSandboxPath(const base::FilePath& path);
} // namespace content