1 files changed, 26 insertions, 14 deletions
diff --git a/sandbox/mac/policy.cc b/sandbox/mac/policy.cc
index 5493c28..293255a 100644
--- a/sandbox/mac/policy.cc
+++ b/sandbox/mac/policy.cc
@@ -21,22 +21,34 @@ Rule::Rule(mach_port_t override_port)
       substitute_port(override_port) {
 }
 
+BootstrapSandboxPolicy::BootstrapSandboxPolicy()
+    : default_rule(POLICY_DENY_ERROR) {
+}
+
+BootstrapSandboxPolicy::~BootstrapSandboxPolicy() {}
+
+static bool IsRuleValid(const Rule& rule) {
+  if (!(rule.result > POLICY_DECISION_INVALID &&
+        rule.result < POLICY_DECISION_LAST)) {
+    return false;
+  }
+  if (rule.result == POLICY_SUBSTITUTE_PORT) {
+    if (rule.substitute_port == MACH_PORT_NULL)
+      return false;
+  } else {
+    if (rule.substitute_port != MACH_PORT_NULL)
+      return false;
+  }
+  return true;
+}
+
 bool IsPolicyValid(const BootstrapSandboxPolicy& policy) {
-  for (BootstrapSandboxPolicy::const_iterator it = policy.begin();
-       it != policy.end();
-       ++it) {
-    const Rule& rule = it->second;
-    if (!(rule.result > POLICY_DECISION_INVALID &&
-          rule.result < POLICY_DECISION_LAST)) {
+  if (!IsRuleValid(policy.default_rule))
+    return false;
+
+  for (const auto& pair : policy.rules) {
+    if (!IsRuleValid(pair.second))
       return false;
-    }
-    if (rule.result == POLICY_SUBSTITUTE_PORT) {
-      if (rule.substitute_port == MACH_PORT_NULL)
-        return false;
-    } else {
-      if (rule.substitute_port != MACH_PORT_NULL)
-        return false;
-    }
   }
   return true;
 }