Mac Sandbox: Clean up forward declaration of internal sandbox functions.

Move all Sandbox functions into their own class and declare functions needed by tests as private with FRIEND_TEST declarations where appropriate. BUG=60917 TEST=Chrome on Mac should run and unit tests should pass. Review URL: http://codereview.chromium.org/4380001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65332 0039d316-1c4b-4281-b951-d872f2087c98

Mac Sandbox: Clean up forward declaration of internal sandbox functions.
Move all Sandbox functions into their own class and declare functions needed by tests as private with FRIEND_TEST declarations where appropriate. BUG=60917 TEST=Chrome on Mac should run and unit tests should pass. Review URL: http://codereview.chromium.org/4380001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65332 0039d316-1c4b-4281-b951-d872f2087c98
846798e2 · jeremy@chromium.org · 620bafaf · 846798e2 · 846798e2 · 846798e2
Commit 846798e2 authored 14 years ago by jeremy@chromium.org
--- a/chrome/common/sandbox_init_wrapper_mac.cc
+++ b/chrome/common/sandbox_init_wrapper_mac.cc
@@ -12,10 +12,12 @@

 bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
                                           const std::string& process_type) {
+  using sandbox::Sandbox;
+
  if (command_line.HasSwitch(switches::kNoSandbox))
    return true;

-  sandbox::SandboxProcessType sandbox_process_type;
+  Sandbox::SandboxProcessType sandbox_process_type;
  FilePath allowed_dir;  // Empty by default.

  if (process_type.empty()) {
@@ -29,7 +31,7 @@ bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
      // this once this flag is removed.
      return true;
    } else {
-      sandbox_process_type = sandbox::SANDBOX_TYPE_RENDERER;
+      sandbox_process_type = Sandbox::SANDBOX_TYPE_RENDERER;
    }
  } else if (process_type == switches::kExtensionProcess) {
    // Extension processes are just renderers [they use RenderMain()] with a
@@ -42,15 +44,15 @@ bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
    return true;
  } else if (process_type == switches::kUtilityProcess) {
    // Utility process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_UTILITY;
+    sandbox_process_type = Sandbox::SANDBOX_TYPE_UTILITY;
    allowed_dir =
        command_line.GetSwitchValuePath(switches::kUtilityProcessAllowedDir);
  } else if (process_type == switches::kWorkerProcess) {
    // Worker process sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_WORKER;
+    sandbox_process_type = Sandbox::SANDBOX_TYPE_WORKER;
  } else if (process_type == switches::kNaClLoaderProcess) {
    // Native Client sel_ldr (user untrusted code) sandbox.
-    sandbox_process_type = sandbox::SANDBOX_TYPE_NACL_LOADER;
+    sandbox_process_type = Sandbox::SANDBOX_TYPE_NACL_LOADER;
  } else if ((process_type == switches::kPluginProcess) ||
             (process_type == switches::kProfileImportProcess) ||
             (process_type == switches::kGpuProcess) ||
@@ -64,8 +66,8 @@ bool SandboxInitWrapper::InitializeSandbox(const CommandLine& command_line,
  }

  // Warm up APIs before turning on the sandbox.
-  sandbox::SandboxWarmup();
+  Sandbox::SandboxWarmup();

  // Actually sandbox the process.
-  return sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
+  return Sandbox::EnableSandbox(sandbox_process_type, allowed_dir);
 }
--- a/chrome/common/sandbox_mac.h
+++ b/chrome/common/sandbox_mac.h
@@ -8,54 +8,21 @@

 #include <string>

-class FilePath;
-
-namespace sandbox {
-
-enum SandboxProcessType {
-  SANDBOX_TYPE_FIRST_TYPE,  // Placeholder to ease iteration.
-
-  SANDBOX_TYPE_RENDERER = SANDBOX_TYPE_FIRST_TYPE,
-
-  // The worker processes uses the most restrictive sandbox which has almost
-  // *everything* locked down. Only a couple of /System/Library/ paths and
-  // some other very basic operations (e.g., reading metadata to allow
-  // following symlinks) are permitted.
-  SANDBOX_TYPE_WORKER,
+#include "base/basictypes.h"
+#include "base/hash_tables.h"
+#include "base/gtest_prod_util.h"

-  // Utility process is as restrictive as the worker process except full access
-  // is allowed to one configurable directory.
-  SANDBOX_TYPE_UTILITY,
-
-  // Native Client sandbox for the user's untrusted code.
-  SANDBOX_TYPE_NACL_LOADER,
+class FilePath;

-  SANDBOX_AFTER_TYPE_LAST_TYPE,  // Placeholder to ease iteration.
-};
+#if __OBJC__
+@class NSArray;
+@class NSString;
+#else
+class NSArray;
+class NSString;
+#endif

-// Warm up System APIs that empirically need to be accessed before the Sandbox
-// is turned on.
-void SandboxWarmup();
-
-// Turns on the OS X sandbox for this process.
-// |sandbox_type| - type of Sandbox to use.
-// |allowed_dir| - directory to allow access to, currently the only sandbox
-// profile that supports this is SANDBOX_TYPE_UTILITY .
-//
-// |allowed_dir| must be a "simple" string since it's placed as is in a regex
-// i.e. it must not contain quotation characters, escaping or any characters
-// that might have special meaning when blindly substituted into a regular
-// expression - crbug.com/26492 .
-// Returns true on success, false if an error occurred enabling the sandbox.
-bool EnableSandbox(SandboxProcessType sandbox_type,
-                   const FilePath& allowed_dir);
-
-// Convert provided path into a "canonical" path matching what the Sandbox
-// expects i.e. one without symlinks.
-// This path is not necessarily unique e.g. in the face of hardlinks.
-void GetCanonicalSandboxPath(FilePath* path);
-
-// Exposed for testing.
+namespace sandbox {

 // Class representing a substring of the sandbox profile tagged with its type.
 class SandboxSubstring {
@@ -84,6 +51,127 @@ class SandboxSubstring {
  SandboxSubstringType type_;
 };

+class Sandbox {
+ public:
+  // A map of variable name -> string to substitute in its place.
+  typedef base::hash_map<std::string, SandboxSubstring>
+      SandboxVariableSubstitions;
+
+  enum SandboxProcessType {
+    SANDBOX_TYPE_FIRST_TYPE,  // Placeholder to ease iteration.
+
+    SANDBOX_TYPE_RENDERER = SANDBOX_TYPE_FIRST_TYPE,
+
+    // The worker process uses the most restrictive sandbox which has almost
+    // *everything* locked down. Only a couple of /System/Library/ paths and
+    // some other very basic operations (e.g., reading metadata to allow
+    // following symlinks) are permitted.
+    SANDBOX_TYPE_WORKER,
+
+    // Utility process is as restrictive as the worker process except full
+    // access is allowed to one configurable directory.
+    SANDBOX_TYPE_UTILITY,
+
+    // Native Client sandbox for the user's untrusted code.
+    SANDBOX_TYPE_NACL_LOADER,
+
+    SANDBOX_AFTER_TYPE_LAST_TYPE,  // Placeholder to ease iteration.
+  };
+
+  // Warm up System APIs that empirically need to be accessed before the Sandbox
+  // is turned on.
+  static void SandboxWarmup();
+
+  // Turns on the OS X sandbox for this process.
+  // |sandbox_type| - type of Sandbox to use.
+  // |allowed_dir| - directory to allow access to, currently the only sandbox
+  // profile that supports this is SANDBOX_TYPE_UTILITY .
+  //
+  // Returns true on success, false if an error occurred enabling the sandbox.
+  static bool EnableSandbox(SandboxProcessType sandbox_type,
+                            const FilePath& allowed_dir);
+
+
+  // Exposed for testing purposes, used by an accessory function of our tests
+  // so we can't use FRIEND_TEST.
+
+  // Build the Sandbox command necessary to allow access to a named directory
+  // indicated by |allowed_dir|.
+  // Returns a string containing the sandbox profile commands necessary to allow
+  // access to that directory or nil if an error occured.
+
+  // The header comment for PostProcessSandboxProfile() explains how variable
+  // substition works in sandbox templates.
+  // The returned string contains embedded variables. The function fills in
+  // |substitutions| to contain the values for these variables.
+  static NSString* BuildAllowDirectoryAccessSandboxString(
+                       const FilePath& allowed_dir,
+                       SandboxVariableSubstitions* substitutions);
+
+  // Assemble the final sandbox profile from a template by removing comments
+  // and substituting variables.
+  //
+  // |sandbox_template| is a string which contains 2 entitites to operate on:
+  //
+  // - Comments - The sandbox comment syntax is used to make the OS sandbox
+  // optionally ignore commands it doesn't support. e.g.
+  // ;10.6_ONLY (foo)
+  // Where (foo) is some command that is only supported on OS X 10.6.
+  // The ;10.6_ONLY comment can then be removed from the template to enable
+  // (foo) as appropriate.
+  //
+  // - Variables - denoted by @variable_name@ .  These are defined in the
+  // sandbox template in cases where another string needs to be substituted at
+  // runtime. e.g. @HOMEDIR_AS_LITERAL@ is substituted at runtime for the user's
+  // home directory escaped appropriately for a (literal ...) expression.
+  //
+  // |comments_to_remove| is a list of NSStrings containing the comments to
+  // remove.
+  // |substitutions| is a hash of "variable name" -> "string to substitute".
+  // Where the replacement string is tagged with information on how it is to be
+  // escaped e.g. used as part of a regex string or a literal.
+  //
+  // On output |final_sandbox_profile_str| contains the final sandbox profile.
+  // Returns true on success, false otherwise.
+  static bool PostProcessSandboxProfile(
+                  NSString* in_sandbox_data,
+                  NSArray* comments_to_remove,
+                  SandboxVariableSubstitions& substitutions,
+                  std::string *final_sandbox_profile_str);
+
+ private:
+  // Escape |src_utf8| for use in a plain string variable in a sandbox
+  // configuraton file.  On return |dst| is set to the quoted output.
+  // Returns: true on success, false otherwise.
+  static bool QuotePlainString(const std::string& src_utf8, std::string* dst);
+
+  // Escape |str_utf8| for use in a regex literal in a sandbox
+  // configuraton file.  On return |dst| is set to the utf-8 encoded quoted
+  // output.
+  //
+  // The implementation of this function is based on empirical testing of the
+  // OS X sandbox on 10.5.8 & 10.6.2 which is undocumented and subject to
+  // change.
+  //
+  // Note: If str_utf8 contains any characters < 32 || >125 then the function
+  // fails and false is returned.
+  //
+  // Returns: true on success, false otherwise.
+  static bool QuoteStringForRegex(const std::string& str_utf8,
+                                  std::string* dst);
+
+  // Convert provided path into a "canonical" path matching what the Sandbox
+  // expects i.e. one without symlinks.
+  // This path is not necessarily unique e.g. in the face of hardlinks.
+  static void GetCanonicalSandboxPath(FilePath* path);
+
+  FRIEND_TEST(MacDirAccessSandboxTest, StringEscape);
+  FRIEND_TEST(MacDirAccessSandboxTest, RegexEscape);
+  FRIEND_TEST(MacDirAccessSandboxTest, SandboxAccess);
+
+  DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
+};
+
 }  // namespace sandbox

 #endif  // CHROME_COMMON_SANDBOX_MAC_H_
--- a/chrome/common/sandbox_mac.mm
+++ b/chrome/common/sandbox_mac.mm
@@ -15,7 +15,6 @@ extern "C" {
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/file_util.h"
-#include "base/hash_tables.h"
 #include "base/mac_util.h"
 #include "base/rand_util_c.h"
 #include "base/mac/scoped_cftyperef.h"
@@ -70,19 +69,13 @@ bool EscapeSingleChar(char c, std::string* dst) {

 namespace sandbox {

-// A map of variable name -> string to substitute in its place.
-typedef base::hash_map<std::string, sandbox::SandboxSubstring>
-    SandboxVariableSubstitions;

-// Escape |str_utf8| for use in a plain string variable in a sandbox
-// configuraton file.  On return |dst| is set to the utf-8 encoded quoted
-// output.
-// Returns: true on success, false otherwise.
-bool QuotePlainString(const std::string& str_utf8, std::string* dst) {
+// static
+bool Sandbox::QuotePlainString(const std::string& src_utf8, std::string* dst) {
  dst->clear();

-  const char* src = str_utf8.c_str();
-  int32_t length = str_utf8.length();
+  const char* src = src_utf8.c_str();
+  int32_t length = src_utf8.length();
  int32_t position = 0;
  while (position < length) {
    UChar32 c;
@@ -113,18 +106,9 @@ bool QuotePlainString(const std::string& str_utf8, std::string* dst) {
  return true;
 }

-// Escape |str_utf8| for use in a regex literal in a sandbox
-// configuraton file.  On return |dst| is set to the utf-8 encoded quoted
-// output.
-//
-// The implementation of this function is based on empirical testing of the
-// OS X sandbox on 10.5.8 & 10.6.2 which is undocumented and subject to change.
-//
-// Note: If str_utf8 contains any characters < 32 || >125 then the function
-// fails and false is returned.
-//
-// Returns: true on success, false otherwise.
-bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst) {
+// static
+bool Sandbox::QuoteStringForRegex(const std::string& str_utf8,
+                                  std::string* dst) {
  // Characters with special meanings in sandbox profile syntax.
  const char regex_special_chars[] = {
    '\\',
@@ -191,7 +175,9 @@ bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst) {
 // enable the function is also noted.
 // This function is tested on the following OS versions:
 //     10.5.6, 10.6.0
-void SandboxWarmup() {
+
+// static
+void Sandbox::SandboxWarmup() {
  base::mac::ScopedNSAutoreleasePool scoped_pool;

  { // CGColorSpaceCreateWithName(), CGBitmapContextCreate() - 10.5.6
@@ -247,16 +233,8 @@ void SandboxWarmup() {
  }
 }

-// Build the Sandbox command necessary to allow access to a named directory
-// indicated by |allowed_dir|.
-// Returns a string containing the sandbox profile commands necessary to allow
-// access to that directory or nil if an error occured.
-
-// The header comment for PostProcessSandboxProfile() explains how variable
-// substition works in sandbox templates.
-// The returned string contains embedded variables. The function fills in
-// |substitutions| to contain the values for these variables.
-NSString* BuildAllowDirectoryAccessSandboxString(
+// static
+NSString* Sandbox::BuildAllowDirectoryAccessSandboxString(
    const FilePath& allowed_dir,
    SandboxVariableSubstitions* substitutions) {
  // A whitelist is used to determine which directories can be statted
@@ -317,21 +295,21 @@ NSString* BuildAllowDirectoryAccessSandboxString(

 // Load the appropriate template for the given sandbox type.
 // Returns the template as an NSString or nil on error.
-NSString* LoadSandboxTemplate(SandboxProcessType sandbox_type) {
+NSString* LoadSandboxTemplate(Sandbox::SandboxProcessType sandbox_type) {
  // We use a custom sandbox definition file to lock things down as
  // tightly as possible.
  NSString* sandbox_config_filename = nil;
  switch (sandbox_type) {
-    case SANDBOX_TYPE_RENDERER:
+    case Sandbox::SANDBOX_TYPE_RENDERER:
      sandbox_config_filename = @"renderer";
      break;
-    case SANDBOX_TYPE_WORKER:
+    case Sandbox::SANDBOX_TYPE_WORKER:
      sandbox_config_filename = @"worker";
      break;
-    case SANDBOX_TYPE_UTILITY:
+    case Sandbox::SANDBOX_TYPE_UTILITY:
      sandbox_config_filename = @"utility";
      break;
-    case SANDBOX_TYPE_NACL_LOADER:
+    case Sandbox::SANDBOX_TYPE_NACL_LOADER:
      // The Native Client loader is used for safeguarding the user's
      // untrusted code within Native Client.
      sandbox_config_filename = @"nacl_loader";
@@ -384,35 +362,12 @@ void GetOSVersion(bool* snow_leopard_or_higher) {
      (major_version > 10 || (major_version == 10 && minor_version >= 6));
 }

-// Assemble the final sandbox profile from a template by removing comments
-// and substituting variables.
-//
-// |sandbox_template| is a string which contains 2 entitites to operate on:
-//
-// - Comments - The sandbox comment syntax is used to make the OS sandbox
-// optionally ignore commands it doesn't support. e.g.
-// ;10.6_ONLY (foo)
-// Where (foo) is some command that is only supported on OS X 10.6.
-// The ;10.6_ONLY comment can then be removed from the template to enable (foo)
-// as appropriate.
-//
-// - Variables - denoted by @variable_name@ .  These are defined in the sandbox
-// template in cases where another string needs to be substituted at runtime.
-// e.g. @HOMEDIR_AS_LITERAL@ is substituted at runtime for the user's home
-// directory escaped appropriately for a (literal ...) expression.
-//
-// |comments_to_remove| is a list of NSStrings containing the comments to
-// remove.
-// |substitutions| is a hash of "variable name" -> "string to substitute".
-// Where the replacement string is tagged with information on how it is to be
-// escaped e.g. used as part of a regex string or a literal.
-//
-// On output |final_sandbox_profile_str| contains the final sandbox profile.
-// Returns true on success, false otherwise.
-bool PostProcessSandboxProfile(NSString* sandbox_template,
-                               NSArray* comments_to_remove,
-                               SandboxVariableSubstitions& substitutions,
-                               std::string *final_sandbox_profile_str) {
+// static
+bool Sandbox::PostProcessSandboxProfile(
+        NSString* sandbox_template,
+        NSArray* comments_to_remove,
+        SandboxVariableSubstitions& substitutions,
+        std::string *final_sandbox_profile_str) {
  NSString* sandbox_data = [[sandbox_template copy] autorelease];

  // Remove comments, e.g. ;10.6_ONLY .
@@ -475,8 +430,10 @@ bool PostProcessSandboxProfile(NSString* sandbox_template,


 // Turns on the OS X sandbox for this process.
-bool EnableSandbox(SandboxProcessType sandbox_type,
-                   const FilePath& allowed_dir) {
+
+// static
+bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
+                            const FilePath& allowed_dir) {
  // Sanity - currently only SANDBOX_TYPE_UTILITY supports a directory being
  // passed in.
  if (sandbox_type != SANDBOX_TYPE_UTILITY) {
@@ -570,7 +527,8 @@ bool EnableSandbox(SandboxProcessType sandbox_type,
  return success;
 }

-void GetCanonicalSandboxPath(FilePath* path) {
+// static
+void Sandbox::GetCanonicalSandboxPath(FilePath* path) {
  int fd = HANDLE_EINTR(open(path->value().c_str(), O_RDONLY));
  if (fd < 0) {
    PLOG(FATAL) << "GetCanonicalSandboxPath() failed for: "

--- a/chrome/common/sandbox_mac_diraccess_unittest.mm
+++ b/chrome/common/sandbox_mac_diraccess_unittest.mm
@@ -11,7 +11,6 @@ extern "C" {

 #include "base/file_util.h"
 #include "base/file_path.h"
-#include "base/hash_tables.h"
 #include "base/test/multiprocess_test.h"
 #include "base/sys_string_conversions.h"
 #include "base/utf_string_conversions.h"
@@ -19,30 +18,17 @@ extern "C" {
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/multiprocess_func_list.h"

-// Tests to exercise directory-access-related restrictions of Mac sandbox.
-
-namespace sandbox {
-
-typedef base::hash_map<std::string, SandboxSubstring>
-    SandboxVariableSubstitions;
-
-bool QuotePlainString(const std::string& str_utf8, std::string* dst);
-bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst);
-NSString* BuildAllowDirectoryAccessSandboxString(
-    const FilePath& allowed_dir,
-    SandboxVariableSubstitions* substitutions);
-bool PostProcessSandboxProfile(NSString* in_sandbox_data,
-                               NSArray* comments_to_remove,
-                               SandboxVariableSubstitions& substitutions,
-                               std::string *final_sandbox_profile_str);
-
-}  // namespace sandbox
-
 namespace {

 static const char* kSandboxAccessPathKey = "sandbox_dir";
 static const char* kDeniedSuffix = "_denied";

+}  // namespace
+
+// Tests need to be in the same namespace as the sandbox::Sandbox class to be
+// useable with FRIEND_TEST() declaration.
+namespace sandbox {
+
 class MacDirAccessSandboxTest : public base::MultiProcessTest {
 public:
  bool CheckSandbox(const std::string& directory_to_try) {
@@ -59,8 +45,6 @@ class MacDirAccessSandboxTest : public base::MultiProcessTest {
 };

 TEST_F(MacDirAccessSandboxTest, StringEscape) {
-  using sandbox::QuotePlainString;
-
  const struct string_escape_test_data {
  const char* to_escape;
  const char* escaped;
@@ -76,14 +60,12 @@ TEST_F(MacDirAccessSandboxTest, StringEscape) {
  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(string_escape_cases); ++i) {
    std::string out;
    std::string in(string_escape_cases[i].to_escape);
-    EXPECT_TRUE(QuotePlainString(in, &out));
+    EXPECT_TRUE(Sandbox::QuotePlainString(in, &out));
    EXPECT_EQ(string_escape_cases[i].escaped, out);
  }
 }

 TEST_F(MacDirAccessSandboxTest, RegexEscape) {
-  using sandbox::QuoteStringForRegex;
-
  const std::string kSandboxEscapeSuffix("(/|$)");
  const struct regex_test_data {
    const wchar_t *to_escape;
@@ -101,24 +83,25 @@ TEST_F(MacDirAccessSandboxTest, RegexEscape) {
    std::string out;
    char fail_string[] = {31, 0};
    char ok_string[] = {32, 0};
-    EXPECT_FALSE(QuoteStringForRegex(fail_string, &out));
-    EXPECT_TRUE(QuoteStringForRegex(ok_string, &out));
+    EXPECT_FALSE(Sandbox::QuoteStringForRegex(fail_string, &out));
+    EXPECT_TRUE(Sandbox::QuoteStringForRegex(ok_string, &out));
  }

  // Check that all characters whose values are larger than 126 [7E] are
  // rejected by the regex escaping code.
  {
    std::string out;
-    EXPECT_TRUE(QuoteStringForRegex("}", &out));   // } == 0x7D == 125
-    EXPECT_FALSE(QuoteStringForRegex("~", &out));  // ~ == 0x7E == 126
-    EXPECT_FALSE(QuoteStringForRegex(WideToUTF8(L"^\u2135.\u2136$"), &out));
+    EXPECT_TRUE(Sandbox::QuoteStringForRegex("}", &out));   // } == 0x7D == 125
+    EXPECT_FALSE(Sandbox::QuoteStringForRegex("~", &out));  // ~ == 0x7E == 126
+    EXPECT_FALSE(
+        Sandbox::QuoteStringForRegex(WideToUTF8(L"^\u2135.\u2136$"), &out));
  }

  {
    for (size_t i = 0; i < ARRAYSIZE_UNSAFE(regex_cases); ++i) {
      std::string out;
      std::string in = WideToUTF8(regex_cases[i].to_escape);
-      EXPECT_TRUE(QuoteStringForRegex(in, &out));
+      EXPECT_TRUE(Sandbox::QuoteStringForRegex(in, &out));
      std::string expected("^");
      expected.append(regex_cases[i].escaped);
      expected.append(kSandboxEscapeSuffix);
@@ -137,7 +120,7 @@ TEST_F(MacDirAccessSandboxTest, RegexEscape) {
    expected.append(kSandboxEscapeSuffix);

    std::string out;
-    EXPECT_TRUE(QuoteStringForRegex(in_utf8, &out));
+    EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out));
    EXPECT_EQ(expected, out);

  }
@@ -163,7 +146,7 @@ TEST_F(MacDirAccessSandboxTest, SandboxAccess) {
  // This step is important on OS X since the sandbox only understands "real"
  // paths and the paths CreateNewTempDirectory() returns are empirically in
  // /var which is a symlink to /private/var .
-  sandbox::GetCanonicalSandboxPath(&tmp_dir);
+  Sandbox::GetCanonicalSandboxPath(&tmp_dir);
  ScopedDirectory cleanup(&tmp_dir);

  const char* sandbox_dir_cases[] = {
@@ -205,9 +188,9 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
      ";ENABLE_DIRECTORY_ACCESS";

  std::string allowed_dir(sandbox_allowed_dir);
-  sandbox::SandboxVariableSubstitions substitutions;
+  Sandbox::SandboxVariableSubstitions substitutions;
  NSString* allow_dir_sandbox_code =
-      sandbox::BuildAllowDirectoryAccessSandboxString(
+      Sandbox::BuildAllowDirectoryAccessSandboxString(
          FilePath(sandbox_allowed_dir),
          &substitutions);
  sandbox_profile = [sandbox_profile
@@ -215,15 +198,14 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
                                withString:allow_dir_sandbox_code];

  std::string final_sandbox_profile_str;
-  if (!PostProcessSandboxProfile(sandbox_profile,
-                                 [NSArray array],
-                                 substitutions,
-                                 &final_sandbox_profile_str)) {
+  if (!Sandbox::PostProcessSandboxProfile(sandbox_profile,
+                                          [NSArray array],
+                                          substitutions,
+                                          &final_sandbox_profile_str)) {
    LOG(ERROR) << "Call to PostProcessSandboxProfile() failed";
    return -1;
  }

-
  // Enable Sandbox.
  char* error_buff = NULL;
  int error = sandbox_init(final_sandbox_profile_str.c_str(), 0, &error_buff);
@@ -319,4 +301,4 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
  return 0;
 }

-}  // namespace
+}  // namespace sandbox
--- a/chrome/common/sandbox_mac_fontloading_unittest.mm
+++ b/chrome/common/sandbox_mac_fontloading_unittest.mm
@@ -16,6 +16,7 @@
 namespace {

 using sandboxtest::MacSandboxTest;
+using sandbox::Sandbox;

 bool CGFontFromFontContainer(ATSFontContainerRef container, CGFontRef* out) {
  // Count the number of fonts that were loaded.
@@ -169,7 +170,7 @@ TEST_F(MacSandboxTest, FontLoadingTest) {
  file_util::WriteFileDescriptor(fileno(temp_file),
      static_cast<const char *>(font_data.memory()), font_data_size);

-  ASSERT_TRUE(RunTestInSandbox(sandbox::SANDBOX_TYPE_RENDERER,
+  ASSERT_TRUE(RunTestInSandbox(Sandbox::SANDBOX_TYPE_RENDERER,
                  "FontLoadingTestCase", temp_file_path.value().c_str()));
  temp_file_closer.reset();
  ASSERT_TRUE(file_util::Delete(temp_file_path, false));

--- a/chrome/common/sandbox_mac_unittest_helper.h
+++ b/chrome/common/sandbox_mac_unittest_helper.h
@@ -50,7 +50,7 @@ class MacSandboxTest : public base::MultiProcessTest {
  // to the child process runing in the sandbox.
  // Returns true if the test passes, false if either of the functions in
  // the corresponding MacSandboxTestCase return false.
-  bool RunTestInSandbox(sandbox::SandboxProcessType sandbox_type,
+  bool RunTestInSandbox(sandbox::Sandbox::SandboxProcessType sandbox_type,
                        const char* test_name,
                        const char* test_data);


--- a/chrome/common/sandbox_mac_unittest_helper.mm
+++ b/chrome/common/sandbox_mac_unittest_helper.mm
@@ -16,6 +16,8 @@ extern "C" {
 #include "chrome/common/sandbox_mac.h"
 #include "testing/multiprocess_func_list.h"

+using sandbox::Sandbox;
+
 namespace {

 const char* kSandboxTypeKey = "CHROMIUM_SANDBOX_SANDBOX_TYPE";
@@ -52,10 +54,10 @@ bool MacSandboxTest:: RunTestInAllSandboxTypes(const char* test_name,
                                const char* test_data) {
  // Go through all the sandbox types, and run the test case in each of them
  // if one fails, abort.
-  for(int i = static_cast<int>(sandbox::SANDBOX_TYPE_FIRST_TYPE);
-      i < sandbox::SANDBOX_AFTER_TYPE_LAST_TYPE;
+  for(int i = static_cast<int>(Sandbox::SANDBOX_TYPE_FIRST_TYPE);
+      i < Sandbox::SANDBOX_AFTER_TYPE_LAST_TYPE;
      ++i) {
-    if (!RunTestInSandbox(static_cast<sandbox::SandboxProcessType>(i),
+    if (!RunTestInSandbox(static_cast<Sandbox::SandboxProcessType>(i),
            test_name, test_data)) {
      LOG(ERROR) << "Sandboxed test (" << test_name << ")" <<
          "Failed in sandbox type " << i <<
@@ -66,7 +68,7 @@ bool MacSandboxTest:: RunTestInAllSandboxTypes(const char* test_name,
 return true;
 }

-bool MacSandboxTest::RunTestInSandbox(sandbox::SandboxProcessType sandbox_type,
+bool MacSandboxTest::RunTestInSandbox(Sandbox::SandboxProcessType sandbox_type,
                                      const char* test_name,
                                      const char* test_data) {
  std::stringstream s;
@@ -116,8 +118,8 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_test_runner) {
    LOG(ERROR) << "Sandbox type not specified";
    return -1;
  }
-  sandbox::SandboxProcessType sandbox_type =
-      static_cast<sandbox::SandboxProcessType>(atoi(sandbox_type_str));
+  Sandbox::SandboxProcessType sandbox_type =
+      static_cast<Sandbox::SandboxProcessType>(atoi(sandbox_type_str));
  char* sandbox_test_name = getenv(kSandboxTestNameKey);
  if (!sandbox_test_name) {
    LOG(ERROR) << "Sandbox test name not specified";
@@ -141,9 +143,9 @@ MULTIPROCESS_TEST_MAIN(mac_sandbox_test_runner) {
    return -1;
  }

-  sandbox::SandboxWarmup();
+  Sandbox::SandboxWarmup();

-  if (!sandbox::EnableSandbox(sandbox_type, FilePath())) {
+  if (!Sandbox::EnableSandbox(sandbox_type, FilePath())) {
    LOG(ERROR) << "Failed to initialize sandbox " << sandbox_type;
    return -1;
  }