[Mac] Disable all sandboxd logging unless running with --enable-sandbox-logging.

This prevents console spew.

BUG=26621
TEST=Run Chrome and don't get messages in Console.app from sandboxd about Chrome Helper. Run with --enable-sandbox-logging and get them.

Review URL: http://codereview.chromium.org/3155031

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57191 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 34 insertions, 11 deletions

diff --git a/chrome/common/common.sb b/chrome/common/common.sb
index 71c73cf..f8d4f1c 100644
--- a/chrome/common/common.sb
+++ b/chrome/common/common.sb
@@ -3,10 +3,15 @@
 ;; Use of this source code is governed by a BSD-style license that can be
 ;; found in the LICENSE file.
 ;;
-; This configuration file isn't used on it's own, but instead implicity included
-; at the start of all other sandbox configuration files in Chrome.
+; This configuration file isn't used on it's own, but instead implicitly
+; included at the start of all other sandbox configuration files in Chrome.
 (version 1)
-(deny default)
+
+; DISABLE_SANDBOX_DENIAL_LOGGING expands to syntax that turns off log message
+; printing on sandbox exceptions; this functionality only exists on 10.6. The
+; --enable-sandbox-logging flag or system versions <10.6 cause this flag to
+; expand to an empty string. http://crbug.com/26621
+(deny default DISABLE_SANDBOX_DENIAL_LOGGING)
 
 ; Support for programmatically enabling verbose debugging.
 ;ENABLE_LOGGING (debug deny)
diff --git a/chrome/common/sandbox_mac.mm b/chrome/common/sandbox_mac.mm
index c514a10..303a538 100644
--- a/chrome/common/sandbox_mac.mm
+++ b/chrome/common/sandbox_mac.mm
@@ -309,15 +309,37 @@ bool EnableSandbox(SandboxProcessType sandbox_type,
   sandbox_data =
       [common_sandbox_prefix_data stringByAppendingString:sandbox_data];
 
-  // Enable verbose logging if enabled on the command line.
-  // (see renderer.sb for details).
+  // Enable verbose logging if enabled on the command line. (See common.sb
+  // for details).
   const CommandLine *command_line = CommandLine::ForCurrentProcess();
-  if (command_line->HasSwitch(switches::kEnableSandboxLogging)) {
+  bool enable_logging =
+      command_line->HasSwitch(switches::kEnableSandboxLogging);
+  if (enable_logging) {
     sandbox_data = [sandbox_data
         stringByReplacingOccurrencesOfString:@";ENABLE_LOGGING"
                                   withString:@""];
   }
 
+  // Get the OS version.
+  int32 major_version, minor_version, bugfix_version;
+  base::SysInfo::OperatingSystemVersionNumbers(&major_version,
+      &minor_version, &bugfix_version);
+  bool snow_leopard_or_higher =
+      (major_version > 10 || (major_version == 10 && minor_version >= 6));
+
+  // Without this, the sandbox will print a message to the system log every
+  // time it denies a request.  This floods the console with useless spew. The
+  // (with no-log) syntax is only supported on 10.6+
+  if (snow_leopard_or_higher && !enable_logging) {
+    sandbox_data = [sandbox_data
+        stringByReplacingOccurrencesOfString:@"DISABLE_SANDBOX_DENIAL_LOGGING"
+                                  withString:@"(with no-log)"];
+  } else {
+    sandbox_data = [sandbox_data
+        stringByReplacingOccurrencesOfString:@"DISABLE_SANDBOX_DENIAL_LOGGING"
+                                  withString:@""];
+  }
+
   if (!allowed_dir.empty()) {
     // The sandbox only understands "real" paths.  This resolving step is
     // needed so the caller doesn't need to worry about things like /var
@@ -343,11 +365,7 @@ bool EnableSandbox(SandboxProcessType sandbox_type,
 
   }
 
-  int32 major_version, minor_version, bugfix_version;
-  base::SysInfo::OperatingSystemVersionNumbers(&major_version,
-      &minor_version, &bugfix_version);
-
-  if (major_version > 10 || (major_version == 10 && minor_version >= 6)) {
+  if (snow_leopard_or_higher) {
     // 10.6-only Sandbox rules.
     sandbox_data = [sandbox_data
         stringByReplacingOccurrencesOfString:@";10.6_ONLY"