Add IsSandboxed() function to seatbelt wrapper.

This adds a function that checks whether or not the process is currently
sandboxed. It uses the underlying sandbox_check() functionality,
which is not yet further exposed.

BUG=689306

Review-Url: https://codereview.chromium.org/2914693002
Cr-Commit-Position: refs/heads/master@{#476370}

sandbox/mac/sandbox_mac_compiler_unittest.mm

@@ -11,6 +11,7 @@
 #include "base/test/multiprocess_test.h"
 #include "base/test/test_timeouts.h"
 #include "sandbox/mac/sandbox_compiler.h"
+#include "sandbox/mac/seatbelt.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/multiprocess_func_list.h"
 
@@ -162,4 +163,27 @@ TEST_F(SandboxMacCompilerTest, ProfileFunctionalityTestError) {
   EXPECT_EQ(exit_code, 0);
 }
 
+MULTIPROCESS_TEST_MAIN(SandboxCheckTestProcess) {
+  CHECK(!Seatbelt::IsSandboxed());
+  std::string profile =
+      "(version 1)"
+      "(deny default (with no-log))";
+
+  SandboxCompiler compiler(profile);
+  std::string error;
+  CHECK(compiler.CompileAndApplyProfile(&error));
+  CHECK(Seatbelt::IsSandboxed());
+
+  return 0;
+}
+
+TEST_F(SandboxMacCompilerTest, SandboxCheckTest) {
+  base::SpawnChildResult spawn_child = SpawnChild("SandboxCheckTestProcess");
+  ASSERT_TRUE(spawn_child.process.IsValid());
+  int exit_code = 42;
+  EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout(
+      TestTimeouts::action_max_timeout(), &exit_code));
+  EXPECT_EQ(exit_code, 0);
+}
+
 }  // namespace sandbox

sandbox/mac/seatbelt.cc

@@ -4,6 +4,8 @@
 
 #include "sandbox/mac/seatbelt.h"
 
+#include <unistd.h>
+
 extern "C" {
 #include <sandbox.h>
 
@@ -11,6 +13,12 @@ int sandbox_init_with_parameters(const char* profile,
                                  uint64_t flags,
                                  const char* const parameters[],
                                  char** errorbuf);
+
+// Not deprecated. The canonical usage to test if sandboxed is
+// sandbox_check(getpid(), NULL, SANDBOX_FILTER_NONE), which returns
+// 1 if sandboxed. Note `type` is actually a sandbox_filter_type enum value, but
+// it is unused currently.
+int sandbox_check(pid_t pid, const char* operation, int type, ...);
 };
 
 namespace sandbox {
@@ -54,4 +62,9 @@ void Seatbelt::FreeError(char* errorbuf) {
 #pragma clang diagnostic pop
 }
 
+// static
+bool Seatbelt::IsSandboxed() {
+  return ::sandbox_check(getpid(), NULL, 0);
+}
+
 }  // namespace sandbox

sandbox/mac/seatbelt.h

@@ -17,15 +17,28 @@ namespace sandbox {
 // This class wraps the functions in deprecation warning supressions.
 class SEATBELT_EXPORT Seatbelt {
  public:
+  // Initializes the specified sandbox profile. Returns 0 on success, else -1
+  // and |errorbuf| is populated. |errorbuf| is allocated by the API and must be
+  // freed with FreeError().
   static int Init(const char* profile, uint64_t flags, char** errorbuf);
 
+  // Initializes the specified sandbox profile and passes the parameters to the
+  // |profile|. |parameters| is a null terminated list containing key,value
+  // pairs in sequence. [key1,val1,key2,val2,nullptr]. |errorbuf| is allocated
+  // by the API and is set to a string description of the error. |errorbuf| must
+  // be freed with FreeError(). This function eturns 0 on success, else -1 and
+  // |errorbuf| is populated.
   static int InitWithParams(const char* profile,
                             uint64_t flags,
                             const char* const parameters[],
                             char** errorbuf);
 
+  // Frees the |errorbuf| allocated and set by InitWithParams.
   static void FreeError(char* errorbuf);
 
+  // Returns whether or not the process is currently sandboxed.
+  static bool IsSandboxed();
+
   static const char* kProfileNoInternet;
 
   static const char* kProfileNoNetwork;