macOS V2 Sandbox: Leverage additional enforcement options.

This enforces additional restrictions, such as iokit-get-properties and
process-info, that the default policy allows.

Bug: 799149
Change-Id: If2b53df37c78fad2dee7aefb2e7b17d189c6618a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1586200Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#654630}

services/service_manager/sandbox/mac/common.sb

@@ -182,6 +182,7 @@
   (sysctl-name "hw.cachelinesize_compat")
   (sysctl-name "hw.cpufrequency_compat")
   (sysctl-name "hw.cputype")
+  (sysctl-name "hw.logicalcpu_max")
   (sysctl-name "hw.machine")
   (sysctl-name "hw.ncpu")
   (sysctl-name "hw.pagesize_compat")
@@ -192,6 +193,7 @@
   (sysctl-name "kern.maxfilesperproc")
   (sysctl-name "kern.osrelease")
   (sysctl-name "kern.ostype")
+  (sysctl-name "kern.osvariant_status")
   (sysctl-name "kern.osversion")
   (sysctl-name "kern.usrstack64")
   (sysctl-name "kern.version")

services/service_manager/sandbox/mac/renderer.sb

@@ -4,9 +4,17 @@
 
 ; --- The contents of common.sb implicitly included here. ---
 
+; Put the denials first.
+; crbug.com/799149: These operations are allowed by default.
+(deny iokit-get-properties process-info* nvram*)
+
 ; Allow cf prefs to work.
 (allow user-preference-read)
 
+; process-info
+(allow process-info-pidinfo)
+(allow process-info-setcontrol (target self))
+
 ; File reads.
 ; Reads from the home directory.
 (allow file-read-data
@@ -67,3 +75,15 @@
   (global-name "com.apple.lsd.mapdb")
   (global-name "com.apple.system.notification_center")  ; https://crbug.com/792217
 )
+
+; IOKit properties.
+(allow iokit-get-properties
+  (iokit-property "CaseSensitive")
+  (iokit-property "Ejectable")
+  (iokit-property "Encrypted")
+  (iokit-property "IOClassNameOverride")
+  (iokit-property "IOMediaIcon")
+  (iokit-property "Protocol Characteristics")
+  (iokit-property "Removable")
+  (iokit-property "image-encrypted")
+)